Dictionary Attack Risk Calculator

Calculator Inputs

Use a test password sample or enter a manual profile. Avoid submitting live production secrets.

Password sample for lab use only

If entered, the calculator auto-detects length, classes, and common patterns.

Manual length fallback

Used when no test sample is supplied.

Attack scenario

Base wordlist size

Examples: 1000000, 100000000, or larger targeted dictionaries.

Mangling rules multiplier

Captures case changes, suffixes, years, symbols, and rule expansion.

Raw guesses per second

Online attacks are usually slower. Offline cracking can be much faster.

Attempts before lockout

Use 0 to disable lockout modeling.

Lockout delay in seconds

Example: 900 means 15 minutes per lockout cycle.

Detected or assumed character classes

Lowercase letters

Uppercase letters

Digits

Symbols

Pattern and exposure flags

These flags matter most when no sample is entered, but strategic exposure flags still affect any estimate.

Contains a dictionary word or common phrase

Contains a year or date-like pattern

Ends with short digits

Uses simple substitutions like @ or 0

Uses common capitalization pattern

Places a symbol only at the end

Contains repeats or simple sequences

Contains keyboard-style pattern

Attacker knows personal context

Password is reused or closely related

Credential or similar secret was breached

MFA is enabled

Example Data Table

These are illustrative scenarios for comparison. Real outcomes depend on hashing cost, guess rate, service defenses, and attacker targeting quality.

Profile	Attack Mode	Wordlist	Mangling	Effective Rate	Estimated Risk
Summer2026!	Online	100,000,000	100×	0.01/sec with lockout	Elevated
P@ssword123	Offline	500,000,000	500×	1,000,000/sec	Critical
j9L#t2Qv!m7R	Hybrid	100,000,000	100×	250/sec	Low to Moderate

Formula Used

This calculator combines structural password strength, dictionary-match likelihood, attack throughput, and defense controls. The result is an estimation model for dictionary-style guessing, not a cryptographic proof.

Charset Size = 26(lower) + 26(upper) + 10(digits) + 33(symbols)

Entropy Bits = Length × log2(Charset Size)

Theoretical Search Space = Charset Size^Length

Pattern Adjusted Effective Space = Theoretical Search Space × Penalty Factor

Candidate Pool = Wordlist Size × Mangling Multiplier × Targeting Factor

Effective Guess Rate = Attempts / ((Attempts / Raw Rate) + Lockout Delay)
Applied for throttled online scenarios when lockouts are enabled.

Estimated Hit Rank = Candidate Pool × Rank Fraction

Time to Estimated Hit Rank = Estimated Hit Rank / Effective Guess Rate

Risk Score blends time pressure, match probability, breach context, reuse, and MFA impact onto a 0–100 scale.

How to Use This Calculator

Enter a test password sample or leave it blank to model a manual profile.
Choose the attack scenario: online, offline, or hybrid exposure.
Set the base wordlist size and mangling multiplier for attacker rules.
Provide the raw guess rate and add lockout controls when relevant.
Mark exposure flags like reuse, personal knowledge, breach history, or MFA.
Submit the form to view the score, timing estimate, match probability, and graph.
Use the CSV or PDF buttons to export the result summary.
Review the recommendations section to reduce dictionary-style guessing risk.

FAQs

1. What does dictionary attack risk mean?

It estimates how likely a password is to be guessed from words, common mutations, dates, symbols, and targeted rules before brute force becomes necessary.

2. Why can long passwords still score poorly?

Length helps, but predictable words, years, keyboard patterns, or reuse can place a long password inside an attacker’s dictionary candidate pool surprisingly early.

3. Why are years and trailing digits risky?

Attack tools commonly append years, seasons, and short number strings to base words. Those mutations are cheap to generate and often tested early.

4. How do lockouts change the result?

Lockouts reduce the effective guess rate during online attacks. That can stretch attack time from minutes to weeks when throttling is enforced consistently.

5. Why does MFA reduce takeover probability?

A guessed password does not guarantee account compromise if another verified factor is required. MFA lowers practical takeover risk even when password quality is mediocre.

6. Are passphrases always safe from dictionary attacks?

Not always. Common phrases, song titles, slogans, and predictable word combinations may still be tested. Randomly generated secrets remain stronger.

7. Why do reuse and breach exposure matter so much?

Attackers prioritize known leaks and similar credentials. Reuse gives them shortcuts, lowers uncertainty, and makes targeted guessing much more efficient.

8. Should I enter a real production password here?

No. Use a test string or a representative pattern only. Production secrets should stay inside approved password managers and security tooling.