Password Crack Time Estimator

See how long it would realistically take to crack your password. Our estimator uses current brute-force speeds to give you a timeframe.

Password to Analyze

Attack Speed (Guesses per Second)

About Crack Time Estimation

This tool estimates how long it would take to brute-force crack a password by trying every possible combination. Actual crack times may vary based on:

Attack method (online vs offline)
Hardware used (CPU, GPU, ASIC, quantum)
Hash algorithm speed (MD5 is faster than bcrypt)
Whether the password is in a dictionary

How It Works

This tool estimates how long it would take an attacker to crack your password through brute force - trying every possible combination until they find the right one.

The calculation works in three steps:

Calculate combinations: Based on your password length and character types, it determines the total number of possible passwords. For example, an 8-character password using all character types has about 6.6 quadrillion combinations.
Apply attack speed: Different attack scenarios allow different guess rates - from 100 guesses/second for rate-limited online attacks to 100 trillion/second for specialized hardware.
Compute time: Divide total combinations by guesses per second to get estimated crack time.

The tool shows results across multiple attack scenarios because a password that's safe from online attacks might crumble in seconds against offline GPU cracking.

When You'd Actually Use This

Evaluating Existing Passwords

Check how long your current passwords would survive against different attack methods before deciding whether to change them.

Setting Password Policies

Security teams use crack time estimates to define minimum password requirements that provide meaningful protection.

Understanding Threat Models

See the dramatic difference between online attacks (rate-limited) and offline attacks (unlimited) to prioritize defenses.

Password Generator Validation

After generating a random password, verify it would take centuries to crack before using it for important accounts.

Security Awareness Training

Show employees concrete time estimates - 'your password cracks in 3 seconds' is more impactful than 'weak password'.

Incident Response Planning

After a breach, estimate how much time you have before attackers crack stolen password hashes and force resets accordingly.

What to Know Before Using

Times assume pure brute force attacks

Real attackers use dictionary attacks, rainbow tables, and pattern-based cracking first. A password like 'Summer2024!' might have decent entropy but crack instantly because it's a common pattern.

Hash algorithm matters enormously

MD5 hashes can be cracked billions of times per second. bcrypt with cost 12 might allow only hundreds. The same password has vastly different crack times depending on how it's stored.

GPU and ASIC hardware changes everything

Modern GPU clusters can try hundreds of billions of passwords per second. What took years on a CPU now takes hours. Always check the 'fast offline' scenario.

Online rate limiting is your friend

Services that limit login attempts (like 5 per minute) make online brute force impractical even for weak passwords. This is why offline attacks on stolen databases are the real threat.

Quantum computing isn't a concern yet

While quantum computers could theoretically crack passwords faster using Grover's algorithm, practical quantum password cracking is likely decades away. Don't lose sleep over it today.

Common Questions

What crack time should I aim for?

For important accounts, aim for 'centuries' at the fast offline (10B/s) speed. For less critical accounts, at least 'years' provides reasonable protection. If it shows 'days' or less, change the password immediately.

Why does adding one character make such a big difference?

Password cracking is exponential, not linear. Adding one character to a mixed-case password multiplies the combinations by 94 (all printable ASCII characters). That's why 'password1' cracks in seconds but 'password12' takes years.

Are online attacks still a threat?

For well-designed services, no - rate limiting and account lockouts make online brute force impractical. The real danger is offline attacks after data breaches, which is why unique passwords per site matter.

How do rainbow tables affect crack times?

Rainbow tables are precomputed hash databases that can crack common passwords instantly. They're effective for passwords up to about 10-12 characters. Longer, random passwords aren't vulnerable to rainbow tables.

What's the fastest password cracking hardware?

Specialized password cracking rigs with multiple high-end GPUs can exceed 100 billion guesses per second for fast hash algorithms. Nation-state actors likely have even more powerful custom hardware.

Does password age affect crack time?

No - a password's crack resistance doesn't degrade over time. However, older passwords have had more time to leak in breaches, and attack hardware keeps getting faster. Regular rotation helps for other reasons.

Can I trust these time estimates?

They're mathematically accurate for pure brute force, but real-world cracking is often faster due to smart attacks. Use these estimates as best-case scenarios - if a password shows '1 year', assume it might crack in a month with smarter techniques.

Other Free Tools

Search tools