Time to Brute Force a Password Calculator

Password Composition

Adjust the length and character types to see how brute‑force resistance changes. Times shown are the average time to find the password (50% of combinations).

Password Length: 12 characters

Character Types Included

a–z (Lowercase) A–Z (Uppercase) 0–9 (Numbers) !@#$ (Symbols)

Average Time to Crack — Modern GPU Rig

—

Based on 100 billion guesses/sec against a fast unsalted hash (e.g. NTLM)

Online Attack

—

Single Desktop

—

GPU Cracking Rig

—

Nation‑State

—

Strength Rating

—

Attack Race — Who Cracks It First?

Bars fill faster for attackers who would crack your password sooner. Empty bars mean it's effectively uncrackable for that adversary.

Time to Crack vs. Password Length

Logarithmic scale — each gridline is 10× longer. Marker shows your current length.

Where Your Entropy Comes From

Each character contributes log₂(pool size) bits. Longer passwords beat more character types.

Real‑World Attack Vulnerabilities

Brute‑force is only one way attackers get in. Most accounts get compromised through reuse, phishing, and credential stuffing. Score your habits.

Use of Dictionary Words

Password Reuse Across Services

Use of Personal Information (Name, DOB, Pet)

Two‑Factor Authentication (2FA)

Have any of your passwords been in a known data breach?

📖

Dictionary Risk

Low

♻️

Reuse Risk

Low

🕵️

Social Engineering

Low

📱

2FA Shield

Maximum

🚨

Breach Exposure

Low

Security Improvement Potential

How much you could improve your security by fixing these habits.

Already strong Major gaps

15% potential for improvement

Real‑World Security Posture

Each axis scored 0–10. Larger shape = stronger overall posture against real attacks.

How Accounts Actually Get Breached

Based on Verizon DBIR & Microsoft data. Pure brute‑force is rare — most attackers reuse leaked credentials.

Digital Hygiene Assessment

Your security score reflects modern best practices (NIST SP 800‑63B). Note: scheduled rotation is no longer recommended — only change passwords after a breach.

Do you use a password manager?

How often do you change critical passwords (email, banking)?

How do you react to a "data breach" email?

Confidence in spotting phishing attempts?

How many online accounts do you have (rough estimate)?

Do you use a passkey or hardware security key?

Not assessed

Your Security Posture vs. Population Average

How each habit compares to typical users. Higher = better. Source: industry surveys.

Personalized Security Tips

Hash Algorithm & Cost Analysis

Password length isn't the whole story. The hash algorithm a website uses changes crack times by billions of times. This is why you should use sites that hash properly.

Password Length: 12 characters

Character Pool Size

Hash Algorithm Used by the Service

Attacker Hardware

Average Time to Crack at This Configuration

—

Cost to Crack on Cloud GPUs

—

Based on $0.50/GPU‑hour spot pricing for high‑end cloud GPUs. Real attackers may pay less or have stolen resources.

MD5

~164 GH/s

Cryptographically broken since 2004. Still found in legacy systems.

SHA‑256 (unsalted)

~10 GH/s

Fast hash — fine for files but a poor choice for passwords without salting.

bcrypt (cost 12)

~1.3 KH/s

Designed slow. ~10 million× more expensive to crack than SHA‑256.

Argon2id

~100 H/s

2015 winner of the Password Hashing Competition. Memory‑hard. Current gold standard.

Time to Crack — Across All Hash Algorithms

Same password, same hardware, different hashing scheme. The vertical axis is logarithmic.

The Evolution of Password Cracking

Cracking speed has grown by roughly 10⁹× since the 1990s. Tomorrow's quantum computers could shake everything up again.

Guesses per Second — 1985 to Today

Logarithmic scale. Each gridline represents a 1000× improvement.

Same Password, Different Era

How long an 8‑character mixed password lasted against the best hardware of each era.

⚛️ The Quantum Threat (and What It Doesn't Do)

Grover's algorithm running on a future cryptographically‑relevant quantum computer would halve the effective entropy of symmetric brute‑force attacks. A 128‑bit‑equivalent password becomes 64‑bit‑equivalent.

In practice this means: add about 50% more length to your passwords (e.g. 12 → 18 characters) to be quantum‑safe. Quantum does NOT instantly crack everything — it's a 2× exponent reduction, not a magic key.

Today's threat: Trillions of guesses/sec on classical GPUs

Post‑quantum target: ≥ 128 bits of entropy (≈ 20+ random characters)

Classical vs. Quantum: Effective Strength by Length

A quantum attacker with Grover's algorithm halves the bits of effective security. Same password, very different timelines.

Generate Strong Passwords

All passwords are generated locally in your browser using crypto.getRandomValues() — never transmitted anywhere.

Generation Mode

Password Length: 16 characters

Character Types

a–z A–Z 0–9 Symbols

Advanced Options

Exclude 0,O,l,1,I Require all selected types

Generate Multiple: 1

Test Your Password

Type or paste a password to analyze its strength. Stays in your browser — never sent.

Enter password to test Show password

Click "Generate Password(s)" to create a secure password

Strength —

Entropy (bits)

Char pool

Combinations

—

Crack time (GPU)

Password Strength Comparison

How your tested/generated password compares to common archetypes.