How accurate is this crack time calculator?

Our estimates are based on brute force attacks assuming truly random passwords. Real attacks often start with dictionaries and patterns, potentially cracking weak passwords much faster. For human-created passwords, actual crack times may be significantly lower.

What crack time is considered secure?

Aim for at least centuries against GPU attacks for important accounts. For critical security like banking or cryptocurrency, target millennia or longer. Computing power doubles roughly every two years, so build in safety margin.

Does password hashing affect crack time?

Yes, significantly. Our estimates assume the attacker has direct access to test passwords. Services using proper bcrypt hashing slow attacks by 10,000x or more. However, many sites still use weak hashing, so always assume the worst case.

What is the difference between online and offline password attacks?

Online attacks target login forms and are limited by rate limiting (100-1000 attempts per hour). Offline attacks crack stolen password hashes locally with no rate limits, achieving billions of attempts per second with GPUs.

Is password length or complexity more important?

Length wins mathematically. A 20-character password using only lowercase letters (26^20 combinations) beats an 8-character password with all character types (95^8 combinations) by orders of magnitude.

Calculate Password Crack Time — Free Brute Force Time Estimator

See exactly how long it would take hackers to crack your password using brute force attacks. Compare estimates across Standard PC , Gaming GPU , GPU Cluster , and Nation-State attack scenarios. Check your password strength for a complete security analysis.

Enter Password to Analyze

Your password is analyzed locally and never sent to any server.

Time to Crack (Brute Force)

—

Enter a password to see results

Crack Time by Attack Scenario

Standard PC

100M guesses/sec

—

Gaming GPU

10B guesses/sec

—

GPU Cluster

1T guesses/sec

—

Nation State

100T guesses/sec

—

Length

Charset Size

Entropy Bits

Combinations

Generate Strong Password Calculate Entropy

How Password Cracking Works

Understanding attack methods helps you create truly secure passwords.

Brute Force Attack

Tries every possible combination systematically. Our calculator uses this method—the absolute worst case for attackers if you have a truly random password.

Dictionary Attack

Uses lists of common passwords and words. Finds "password123" in seconds but fails against random strings. Our pattern analyzer detects dictionary vulnerabilities.

Hybrid Attack

Combines dictionary words with common modifications (Password1!, p@ssw0rd). Much faster than brute force for human-created passwords. Use random passphrases to defeat this.

GPU Acceleration

Modern graphics cards can test billions of passwords per second. That's why proper password hashing with bcrypt is essential—it's deliberately GPU-resistant.

Length Trumps Complexity

Each character exponentially increases crack time. A 20-character lowercase password beats an 8-character "complex" one. Calculate entropy to see why.

Defense Strategy

Use randomly generated passwords, unique per account, stored in a password manager. Enable 2FA everywhere. Test your passwords regularly.

Real-World GPU Cracking Speeds

Actual hash rate benchmarks from popular password cracking tools like Hashcat on modern hardware.

GPU password cracking benchmarks for different hardware configurations
Hardware	MD5 Speed	SHA-256 Speed	bcrypt Speed
Intel Core i7 (CPU only)	~500 MH/s	~200 MH/s	~3 KH/s
NVIDIA RTX 3080	~58 GH/s	~7.5 GH/s	~105 KH/s
NVIDIA RTX 4090	~164 GH/s	~22 GH/s	~184 KH/s
8× RTX 4090 Cluster	~1.3 TH/s	~176 GH/s	~1.5 MH/s

How Hash Algorithms Affect Crack Time

The same password has vastly different crack times depending on how the service hashes it.

Crack time comparison for an 8-character password across different hash algorithms
Hash Algorithm	Attack Speed (RTX 4090)	8-char Password	Security Rating
Plain text (no hash)	Network limited	Instant	Never use
`MD5`	164 GH/s	~37 minutes	Broken
`SHA-256`	22 GH/s	~4.6 hours	Weak
`bcrypt` (cost 12)	184 KH/s	~6.9 years	Recommended
`Argon2id`	~50 KH/s	~25 years	Best

"You can't control how services hash your password—so always use passwords strong enough to resist even fast hash attacks like MD5."

Password Length vs Crack Time

Each additional character exponentially increases security. This chart assumes a full character set (95 characters) and 10 billion guesses/second .

Password crack time by length using full character set
Length	Combinations	Crack Time (GPU)	Security Level
6 characters	735 billion	37 seconds	❌ Instant
8 characters	6.6 quadrillion	3.8 days	⚠️ Weak
10 characters	59.8 quintillion	95 years	⚠️ Fair
12 characters	540 sextillion	856,000 years	✓ Strong
14 characters	4.87 × 10²⁷	7.7 billion years	✓ Very Strong
16 characters	4.39 × 10³¹	69 trillion years	✓ Uncrackable

✓ Recommended Minimums

General accounts: 12+ characters
Financial accounts: 14+ characters
Master passwords: 16+ characters
Cryptocurrency: 20+ characters

💡 Quick Math

The formula for calculating combinations:

combinations = charset_size ^ length

With 95 possible characters, each added character multiplies combinations by 95×. Use our entropy calculator for precise measurements.

Frequently Asked Questions

Check How Strong Your Password Is

Understanding Password Crack Times

When we talk about how long it takes to crack a password, we're measuring the time required to systematically try every possible combination until finding the correct one. This password crack time depends on two factors: the total number of possible passwords (combinations) and the speed at which an attacker can test guesses. Understanding this relationship is crucial for creating passwords that will remain secure for years to come.

The Math Behind Crack Times

Password combinations grow exponentially with length. A password using lowercase letters (26 options) with 8 characters has 26^8 = 208 billion combinations. With 12 characters, that becomes 26^12 = 95 quadrillion . Adding character types multiplies this further—using all 95 printable ASCII characters gives 95^8 = 6.6 quadrillion combinations for just 8 characters. Use our entropy calculator to see these numbers for your specific passwords.

Attack speed varies dramatically by context. A web application might limit you to a few attempts per second with lockouts. An offline attack against a leaked database with weak hashing can achieve billions of guesses per second per GPU. That's why our calculator shows multiple scenarios—your password's security depends heavily on what it's protecting and how it's stored.

Why Estimates Can Be Misleading

Our crack time calculator assumes a pure brute force attack with no shortcuts—the most favorable scenario for defenders. Real attackers don't work this way. They start with dictionaries of common passwords, then try variations and patterns. A password like "Summer2024!" might have 11 characters from a 95-character set (theoretical crack time: centuries), but it follows predictable patterns that attackers exploit with tools like Hashcat and John the Ripper.

This is why randomly generated passwords are essential. Human-created passwords contain exploitable patterns even when we try to be random. For passwords you need to remember, randomly generated passphrases provide the best combination of security and memorability.

The Role of Password Hashing

Services should never store your actual password—instead, they store a hash (one-way mathematical transformation). When you log in, they hash your input and compare. Good hashing algorithms like bcrypt are deliberately slow, limiting attackers to thousands rather than billions of guesses per second. Poor algorithms like MD5 offer no such protection.

Unfortunately, you can't know how a service stores your password. Some major breaches have revealed passwords stored in plain text. Always assume the worst case and use passwords strong enough to resist high-speed offline attacks. If our calculator shows your password could be cracked in less than centuries against GPU clusters, generate a stronger one.

Future-Proofing Your Security

Computing power roughly doubles every two years (Moore's Law). A password that takes 1000 years to crack today might take 500 years in 2027 , 250 years in 2029 , and so on. Quantum computers pose additional theoretical risks, though practical quantum password cracking remains years away. Build substantial safety margins into your password choices.

For important accounts, aim for crack times measured in millions or billions of years. This isn't paranoia—it's accounting for unknown vulnerabilities, future technology, and the possibility that your password hash might sit in a stolen database for years before being attacked. Check your current passwords and upgrade any that show crack times under "millennia" for critical accounts.