Password Crack Time Calculator

About the Password Crack Time Calculator

How long would it take an attacker to crack your password? This calculator estimates brute-force crack time based on the password's length, character set, and the attacker's computing power. Modern GPUs can test billions of password hashes per second, making short or simple passwords vulnerable within seconds.

By adjusting the password length, character set, and attack speed (from online throttled attacks to high-end GPU clusters), you can see exactly how resistance scales. This helps you understand why security experts recommend long, random passwords and why each additional character provides exponentially more protection. The calculator models real-world attack speeds including consumer GPUs, professional cracking rigs, and cloud-based GPU clusters.

When This Page Helps

Understanding crack time puts password strength into concrete, relatable terms. Instead of abstract entropy bits, you get human-readable estimates like "3 billion years" versus "2 hours." This makes it easier to explain password policies to non-technical stakeholders and helps individuals appreciate the real difference between a 8-character and 14-character password.

How to Use the Inputs

1. Enter the password length.
2. Select which character types are included (lowercase, uppercase, digits, symbols).
3. Choose an attack speed or enter a custom guess rate.
4. Review the total combinations and estimated crack time.
5. Compare different configurations to find the minimum acceptable length.
6. Use the results to set or validate password length policies.

Example Calculation

Tips & Best Practices

• Every additional character multiplies crack time by the charset size.
• Online attacks are much slower (typically 1K–100K/s) due to rate limiting.
• Offline attacks against fast hashes (MD5, SHA-1) can exceed 100 billion guesses/s.
• Use slow hashes like bcrypt or Argon2 to make offline attacks orders of magnitude harder.
• A 14-character random password with full charset resists even nation-state attackers.
• These estimates assume purely random passwords — dictionary words crack much faster.

Understanding Brute-Force Attack Speeds

Brute-force speed depends primarily on the hash algorithm protecting the password and the attacker's hardware. Fast hashes like MD5 allow billions of guesses per second on a single GPU, while memory-hard algorithms like Argon2 limit attackers to thousands per second.

Hash Algorithm Impact

MD5: ~150 billion/s per GPU. SHA-256: ~10 billion/s. bcrypt (cost 12): ~50,000/s. Argon2id: ~1,000/s. The difference between MD5 and Argon2 is a factor of 150 million — equivalent to adding about 27 bits of entropy for free.

Real-World Attack Scenarios

Online attacks against login forms are limited to perhaps 1,000 attempts per second due to network latency and rate limiting. Offline attacks against stolen password databases are the real threat, where attackers have unlimited time and can parallelize across multiple GPUs.

Recommendations

For passwords protected by fast hashes, use at least 14 random characters from the full charset. For passwords protected by bcrypt or Argon2, 10–12 random characters provide excellent security. Always combine password strength with MFA for defense in depth.

Frequently Asked Questions

• How fast can a GPU crack passwords?

  A single modern GPU (like RTX 4090) can test approximately 150 billion MD5 hashes per second or 1.5 million bcrypt hashes per second. GPU clusters multiply this by the number of cards. The hash algorithm used is the primary factor in attack speed.

• Why does the calculator show "average" time?

  On average, an attacker finds the password after trying half of all possible combinations. The worst case is trying all combinations. We show the average (combinations / 2) as the most statistically relevant estimate.

• Does the hash algorithm affect crack time?

  Enormously. MD5 and SHA-1 are "fast" hashes that GPUs can compute billions per second. bcrypt, scrypt, and Argon2 are deliberately slow, reducing attack speed to thousands per second per GPU. Always use slow hashes for password storage.

• Are online attacks faster or slower?

  Online attacks are much slower because they're limited by network latency, server rate limiting, and account lockout policies. Typical online attack speeds range from 100 to 10,000 attempts per second. Offline attacks against stolen hash databases are millions to billions of times faster.

• Can quantum computers crack passwords faster?

  Grover's algorithm on a quantum computer would halve the effective entropy of a password (e.g., 128 bits becomes 64 bits of security). However, practical quantum computers capable of this are not yet available. Current best practice is to use 128+ bit entropy to be quantum-resistant.

• How is this different from the entropy calculator?

  The entropy calculator gives you abstract bits of randomness. This calculator converts those bits into real-world time estimates based on actual attack hardware speeds. Both are useful: entropy for policy design, crack time for risk communication.