Calculate brute-force attack time for any keyspace. Compare online, offline, and GPU attack speeds to assess password and key security.
Brute-force attacks systematically try every possible combination until finding the correct one. The time required depends on two factors: the total number of possible combinations (keyspace) and the number of attempts an attacker can make per second. Online attacks are throttled by network latency and server rate limits, while offline attacks against stolen hashes can run billions of times faster.
This calculator lets you define a custom keyspace — either by specifying charset and length or entering total combinations directly — and compare attack times across multiple speed tiers. It covers online throttled attacks, standard offline cracking, modern GPU attacks, and theoretical nation-state capabilities. Use it to evaluate the real-world security of passwords, PINs, encryption keys, and any other secrets protected by finite keyspaces.
This analytical approach supports proactive infrastructure management, helping teams avoid costly outages and maintain the service levels that users and business stakeholders depend on. By calculating this metric accurately, DevOps and engineering professionals gain actionable insights that drive system reliability, scalability, and operational excellence across environments.
Different attack scenarios have vastly different speeds, and the same password that withstands online attacks may fall instantly to offline GPU cracking. This calculator helps you understand the full threat spectrum so you can design security controls that match your actual risk level. It's essential for setting minimum key lengths, choosing appropriate hash algorithms, and communicating risk to stakeholders.
Combinations = Charset ^ Length. Time (seconds) = Combinations / Attempts_per_Second. Average time = Time / 2. Online: ~1,000/s. Offline (fast hash): ~10B/s. GPU cluster: ~100B/s.
Result: Online: 3.5 years | Offline GPU: 10.9 seconds
An 8-character alphanumeric password has 62⁸ ≈ 218 trillion combinations. At online speeds (1,000/s), average crack time is 3.5 years. But against a stolen hash database at 10 billion/s, it falls in just 10.9 seconds on average. This demonstrates why short alphanumeric passwords are today inadequate for offline security.
The most critical distinction in brute-force security is whether the attacker operates online (against a live system) or offline (against stolen data). Online attacks face rate limits, CAPTCHAs, and account lockouts. Offline attacks face no such constraints and are limited only by hardware speed.
Online login: 100–1,000/s. Offline MD5: 150B/s per GPU. Offline SHA-256: 10B/s per GPU. Offline bcrypt (cost 12): 50K/s per GPU. Offline Argon2id: 1K/s per GPU. A 4-GPU rig multiplies these by four.
For online-only secrets with lockout: 4–6 digit PINs suffice. For offline fast-hash security: 14+ random mixed characters. For offline slow-hash security: 10+ random mixed characters. For encryption keys: 128+ bits of true randomness.
No single control provides complete protection. Combine strong keyspaces with slow hashing, rate limiting, account lockout, MFA, and breach monitoring for comprehensive security.
Online attacks try passwords against a live login system and are limited by network speed, rate limiting, and lockouts (typically 100–1,000 attempts/s). Offline attacks work against stolen hash databases with no external limits, running billions of attempts per second on GPUs.
A 4-digit PIN has 10⁴ = 10,000 combinations. At online speeds of 1,000/s, the average crack time is just 5 seconds. This is why PINs require lockout after 3–5 failed attempts to be secure.
Yes, dramatically. MD5 hashes can be tested at ~150 billion/s per GPU. bcrypt reduces that to ~50,000/s, and Argon2 to ~1,000/s. Choosing a slow hash algorithm effectively adds 17+ bits of entropy to every password.
Against fast hashes at 100 billion guesses/s, you need at least 2⁶⁰ combinations for one-year resistance (about a 10-character mixed-case alphanumeric password). Against slow hashes, a 2⁴⁰ keyspace (8-character mixed password) provides equivalent security.
AES-128 has a keyspace of 2¹²⁸, which is computationally infeasible to brute-force with any current or foreseeable technology. Even at 10¹⁸ keys/s, it would take 10¹⁰ years. Brute force is only relevant against small keyspaces like passwords.
Grover's algorithm provides a quadratic speedup, effectively halving the key length. AES-128 would have 64-bit quantum security, while AES-256 retains 128-bit quantum security. For passwords, this means doubling the required length to maintain the same security level.