Hash Strength Estimator

Entropy and search space

Password strength is driven by the number of possible candidates an attacker must try. Entropy, measured in bits, represents log2 of that search space. In length mode, the estimator uses length and charset size to approximate entropy as L × log2(N). Increasing length or expanding the character set multiplies possibilities, raising entropy. A move from 60 to 80 bits increases the search space by a factor of one million.

Attacker throughput assumptions

Cracking time depends on effective guesses per second. The baseline rate models fast hashing on attacker hardware, while the multiplier represents additional resources such as multiple GPUs, ASICs or distributed rigs. Because real performance varies by implementation and tuning, security teams should benchmark systems and update assumptions as hardware improves. Conservative inputs produce safer planning targets for account lockout and detection thresholds.

Algorithm cost and work factor

Not all hashes are equal for password storage. Fast constructions can be evaluated extremely quickly, so they provide limited resistance to brute force when a database is stolen. Adaptive and memory-hard schemes introduce deliberate cost. The calculator models that cost through a work factor that slows the effective rate, incorporating bcrypt cost growth, Argon2id passes, memory size, and parallelism. Higher memory reduces GPU efficiency and raises the attacker’s energy and hardware requirements.

Salting and probability of success

Unique salts prevent attackers from reusing precomputed tables across accounts or sites, which is crucial for large-scale breaches. The estimator also lets you choose a target success probability p. Expected guesses are modeled as -ln(1-p) × 2^H, so higher probabilities represent more exhaustive attacks. A 50% target approximates median time, while 90% reflects a determined attacker willing to continue far longer to reach likely success.

Interpreting results for policy

Use the time estimate and score as planning indicators, not guarantees. If results are weak, increase entropy with longer passphrases, reduce online guessing with rate limits, and prefer modern password hashing with unique salts and tuning. For operations, test different algorithms to see how cost parameters shift risk. For governance, export CSV or PDF outputs to document inputs, settings, and expected resistance, then review them during assessments and policy updates.

FAQs

1) What does “effective guesses per second” represent?

It is the attack rate after applying algorithm cost and salting assumptions. It combines baseline throughput, added hardware, and the modeled slowdown from the selected hash settings.

2) Why is entropy more useful than just password length?

Length alone ignores the character set and predictability. Entropy captures the size of the search space, so it better reflects how many guesses an attacker must try.

3) Should I treat the time estimate as exact?

No. It is a planning estimate. Real cracking speed depends on hardware, optimized kernels, implementation choices, and whether the attacker has additional hints or partial knowledge.

4) How does salting change the risk?

Unique salts stop attackers from reusing precomputed tables across users and sites. Without salts, large-scale cracking becomes more efficient and repeated targets can be attacked faster.

5) Which settings typically improve resistance the most?

Higher entropy passwords and modern password hashing with tuned cost parameters. Increasing memory and passes for memory-hard options and raising bcrypt cost can significantly reduce attacker throughput.

6) What attacker baseline rate should I enter?

Use a rate aligned with your threat model and recent benchmarking. For internal planning, choose conservative values and reassess periodically as commodity hardware performance changes.