Brute Force Time Calculator

About the Brute Force Time Calculator

Brute-force attacks systematically try every possible combination until finding the correct one. The time required depends on two factors: the total number of possible combinations (keyspace) and the number of attempts an attacker can make per second. Online attacks are throttled by network latency and server rate limits, while offline attacks against stolen hashes can run billions of times faster.

This calculator lets you define a custom keyspace — either by specifying charset and length or entering total combinations directly — and compare attack times across multiple speed tiers. It covers online throttled attacks, standard offline cracking, modern GPU attacks, and theoretical nation-state capabilities. Use it to evaluate the real-world security of passwords, PINs, encryption keys, and any other secrets protected by finite keyspaces.

When This Page Helps

Different attack scenarios have vastly different speeds, and the same password that withstands online attacks may fall almost immediately to offline GPU cracking. This calculator helps you understand the full threat spectrum so you can design security controls that match your actual risk level. It's essential for setting minimum key lengths, choosing appropriate hash algorithms, and communicating risk to stakeholders.

How to Use the Inputs

1. Enter the total number of combinations or specify charset size and length to compute it.
2. Set the attack speed in attempts per second for each scenario.
3. Review the estimated crack times for online, offline, and GPU attacks.
4. Compare the results to decide if your keyspace is sufficient.
5. Adjust parameters to find the minimum configuration that meets your security target.

Example Calculation

Tips & Best Practices

• Always consider the strongest threat model relevant to your data, not just online attacks.
• Use rate limiting and account lockout to constrain online attack speeds.
• Use slow hash functions (bcrypt, Argon2) to reduce offline attack throughput by 100,000×.
• Add MFA to make brute-force attacks irrelevant for authentication.
• For API keys and tokens, use at least 128 bits of randomness.
• PINs and short codes should always have attempt limits and lockout after failures.

Online vs Offline Attacks

The most critical distinction in brute-force security is whether the attacker operates online (against a live system) or offline (against stolen data). Online attacks face rate limits, CAPTCHAs, and account lockouts. Offline attacks face no such constraints and are limited only by hardware speed.

Attack Speed Reference

Online login: 100–1,000/s. Offline MD5: 150B/s per GPU. Offline SHA-256: 10B/s per GPU. Offline bcrypt (cost 12): 50K/s per GPU. Offline Argon2id: 1K/s per GPU. A 4-GPU rig multiplies these by four.

Practical Keyspace Requirements

For online-only secrets with lockout: 4–6 digit PINs suffice. For offline fast-hash security: 14+ random mixed characters. For offline slow-hash security: 10+ random mixed characters. For encryption keys: 128+ bits of true randomness.

Defense in Depth

No single control provides complete protection. Combine strong keyspaces with slow hashing, rate limiting, account lockout, MFA, and breach monitoring for comprehensive security.

Frequently Asked Questions

• What is the difference between online and offline brute force?

  Online attacks try passwords against a live login system and are limited by network speed, rate limiting, and lockouts (typically 100–1,000 attempts/s). Offline attacks work against stolen hash databases with no external limits, running billions of attempts per second on GPUs.

• How many combinations does a 4-digit PIN have?

  A 4-digit PIN has 10⁴ = 10,000 combinations. At online speeds of 1,000/s, the average crack time is just 5 seconds. This is why PINs require lockout after 3–5 failed attempts to be secure.

• Does the hash algorithm affect brute-force time?

  Yes, dramatically. MD5 hashes can be tested at ~150 billion/s per GPU. bcrypt reduces that to ~50,000/s, and Argon2 to ~1,000/s. Choosing a slow hash algorithm effectively adds 17+ bits of entropy to every password.

• What keyspace do I need to be safe against GPUs?

  Against fast hashes at 100 billion guesses/s, you need at least 2⁶⁰ combinations for one-year resistance (about a 10-character mixed-case alphanumeric password). Against slow hashes, a 2⁴⁰ keyspace (8-character mixed password) provides equivalent security.

• Can brute force crack AES encryption?

  AES-128 has a keyspace of 2¹²⁸, which is computationally infeasible to brute-force with any current or foreseeable technology. Even at 10¹⁸ keys/s, it would take 10¹⁰ years. Brute force is only relevant against small keyspaces like passwords.

• How does quantum computing change brute-force estimates?

  Grover's algorithm provides a quadratic speedup, effectively halving the key length. AES-128 would have 64-bit quantum security, while AES-256 retains 128-bit quantum security. For passwords, this means doubling the required length to maintain the same security level.