Password Crack Time Calculator

Calculator

Password length

Use the full password length, not words.

Target success probability (%)

Time until an attacker reaches this chance.

Effective keyspace (%)

Lower it if patterns reduce search space.

Character set

Pick sets or provide an exact size.

Use sets

Custom size

Lowercase (26)

Uppercase (26)

Digits (10)

Symbols (32)

Space (1)

Full byte range (256)

Custom character set size

Example: 94 printable characters.

Computed set size: —

This value drives the keyspace calculation.

Attack speed

Enter the base cracking rate.

Speed unit

Choose a unit that matches your rate.

Parallel devices

Multiply speed for multiple GPUs or nodes.

Hash cost multiplier

Higher means slower guesses (more work).

Speed presets

Presets are illustrative; tune them for your context.

Online lockout model

Adds waiting time after repeated failed attempts.

Enable

Attempts before lockout

Lockout duration (minutes)

For online attacks, lockouts often dominate total time. For offline attacks, keep this disabled.

Notes (optional)

Submit to calculate, then download results as CSV or PDF.

Formula used

This calculator models brute-force guessing over a search space of size: K = C^L, where C is the character set size and L is password length.

If patterns reduce the search space, the effective keyspace becomes: K_eff = K × (effective_keyspace_percent / 100).

Effective guessing speed is: R_eff = (R_base × devices) / hash_cost_multiplier.

Attempts needed for a chosen success probability p is: A = p × K_eff. Time then is T = A / R_eff.

With lockouts, extra waiting is added after each block of attempts.

How to use this calculator

Set password length and select your character set.
Enter a realistic attack speed and parallel devices.
Adjust hash cost and effective keyspace for context.
Optionally enable lockouts for online login scenarios.
Press Calculate to view times and download reports.

Example data table

Scenario	Length	Charset	Effective rate	Average time (50%)
Digits only, fast offline	8	10	1 × 10^9 /sec	≈ seconds to minutes
Alphanumeric, single GPU	10	62	1 × 10^10 /sec	≈ hours to days
Full printable set, slower hash	14	94	1 × 10^6 /sec	≈ many years

Examples are simplified to illustrate trends, not guarantees.

Search space and entropy

The estimate starts with the keyspace K = C^L, where C is character set size and L is length. Entropy expresses that space in bits: H = L × log₂(C). As an example, 12 characters from a 94‑character printable set gives about 94¹² ≈ 4.7 × 10²³ combinations and ~78.7 bits. Adding two more characters multiplies the search space by 94² ≈ 8,836, so length is usually the strongest lever.

Attack speed and scaling

Time depends on effective speed R_eff = (R_base × devices) / hash_cost_multiplier. Offline hash cracking can reach millions to billions of guesses per second for fast hashes, and far less for memory‑hard ones. Online guessing is typically throttled to seconds or minutes per attempt by rate limits, MFA prompts, or IP controls. Small changes can matter greatly.

Probability-based timelines

Instead of one number, the calculator shows probability checkpoints. For a uniformly random secret within the effective space, expected attempts for probability p are A = p × K_eff, and time is T = A / R_eff. The 50% value is a practical “average midpoint,” while 10% and 90% bracket earlier and later outcomes. Worst-case assumes the final guess succeeds. Use the target probability control to model operational thresholds and reporting.

Effective keyspace and patterns

Human choices rarely cover the full theoretical space. Common words, keyboard walks, predictable suffixes, and policy rules concentrate passwords into smaller regions attackers try first. Use “Effective keyspace (%)” to approximate this shrinkage when you suspect non‑random selection. If real coverage is only 5% of the theoretical space, then K_eff = 0.05 × K, reducing time by a factor of 20. For secrets generated by a password manager, keep this near 100% to reflect uniform randomness.

Lockouts and policy impact

For online authentication, waiting time often dominates compute time. A lockout of 15 minutes after 5 failures limits sustained guessing to about 20 attempts per hour per account. Enable the lockout model to estimate added waiting at each probability level, then compare outcomes with stronger hashing, longer passwords, and MFA.

FAQs

1) What does “effective keyspace” represent?

It estimates how patterns reduce real password choices versus the theoretical space. If users reuse fragments or follow common rules, attackers search a smaller set first, reducing expected cracking time.

2) Why show 10%, 50%, 90%, and worst-case times?

Cracking is probabilistic for uniformly random secrets. The 50% time is an average midpoint, while 10% and 90% show early and late milestones. Worst-case assumes the final guess succeeds.

3) How do I choose an attack speed?

Match the scenario. Online login attempts are often guesses per minute or hour. Offline hash cracking can be millions to trillions per second depending on hardware and algorithm cost.

4) What does the hash cost multiplier change?

It reduces the effective guessing rate to reflect slower verification per guess. Higher cost extends crack time without changing the keyspace, which mirrors stronger, more expensive hashing configurations.

5) Does this include dictionary and rule attacks?

No. It models brute-force over an effective keyspace. If a password is common or patterned, dictionary and rule attacks can be much faster. Adjust effective keyspace to approximate that advantage.

6) Are these results exact predictions?

No. They are planning estimates driven by your inputs. Real outcomes depend on attacker knowledge, leaks, reuse, defenses, and implementation details. Use results to compare options and improve policy decisions.