Estimate how long it takes to crack a password using brute force. Compare GPU attack speeds for different password lengths and charsets.
How long would it take an attacker to crack your password? This calculator estimates brute-force crack time based on the password's length, character set, and the attacker's computing power. Modern GPUs can test billions of password hashes per second, making short or simple passwords vulnerable within seconds.
By adjusting the password length, character set, and attack speed (from online throttled attacks to high-end GPU clusters), you can see exactly how resistance scales. This helps you understand why security experts recommend long, random passwords and why each additional character provides exponentially more protection. The calculator models real-world attack speeds including consumer GPUs, professional cracking rigs, and cloud-based GPU clusters.
Understanding this metric in precise terms allows technology leaders to make evidence-based decisions about scaling, architecture, and infrastructure investment priorities for their organizations. Tracking this metric consistently enables technology teams to identify system performance trends and address potential issues before they impact end users or business operations.
Understanding crack time puts password strength into concrete, relatable terms. Instead of abstract entropy bits, you get human-readable estimates like "3 billion years" versus "2 hours." This makes it easier to explain password policies to non-technical stakeholders and helps individuals appreciate the real difference between a 8-character and 14-character password.
Combinations = Charset_Size ^ Length. Crack Time = Combinations / Guesses_per_Second / 2 (average case). Common rates: Online throttled: 1,000/s, Online unthrottled: 100K/s, Offline fast hash: 10B/s, GPU cluster: 100B/s.
Result: 1.5 hours (average)
A 10-character password using all 95 printable ASCII characters has 95¹⁰ ≈ 5.99 × 10¹⁹ combinations. At 10 billion guesses per second (modern GPU with fast hash), the average crack time is about 1.5 hours. Increasing to 12 characters pushes this to over 500 days.
Brute-force speed depends primarily on the hash algorithm protecting the password and the attacker's hardware. Fast hashes like MD5 allow billions of guesses per second on a single GPU, while memory-hard algorithms like Argon2 limit attackers to thousands per second.
MD5: ~150 billion/s per GPU. SHA-256: ~10 billion/s. bcrypt (cost 12): ~50,000/s. Argon2id: ~1,000/s. The difference between MD5 and Argon2 is a factor of 150 million — equivalent to adding about 27 bits of entropy for free.
Online attacks against login forms are limited to perhaps 1,000 attempts per second due to network latency and rate limiting. Offline attacks against stolen password databases are the real threat, where attackers have unlimited time and can parallelize across multiple GPUs.
For passwords protected by fast hashes, use at least 14 random characters from the full charset. For passwords protected by bcrypt or Argon2, 10–12 random characters provide excellent security. Always combine password strength with MFA for defense in depth.
A single modern GPU (like RTX 4090) can test approximately 150 billion MD5 hashes per second or 1.5 million bcrypt hashes per second. GPU clusters multiply this by the number of cards. The hash algorithm used is the primary factor in attack speed.
On average, an attacker finds the password after trying half of all possible combinations. The worst case is trying all combinations. We show the average (combinations / 2) as the most statistically relevant estimate.
Enormously. MD5 and SHA-1 are "fast" hashes that GPUs can compute billions per second. bcrypt, scrypt, and Argon2 are deliberately slow, reducing attack speed to thousands per second per GPU. Always use slow hashes for password storage.
Online attacks are much slower because they're limited by network latency, server rate limiting, and account lockout policies. Typical online attack speeds range from 100 to 10,000 attempts per second. Offline attacks against stolen hash databases are millions to billions of times faster.
Grover's algorithm on a quantum computer would halve the effective entropy of a password (e.g., 128 bits becomes 64 bits of security). However, practical quantum computers capable of this are not yet available. Current best practice is to use 128+ bit entropy to be quantum-resistant.
The entropy calculator gives you abstract bits of randomness. This calculator converts those bits into real-world time estimates based on actual attack hardware speeds. Both are useful: entropy for policy design, crack time for risk communication.