GRC Brute Force Password Calculator

Test password strength with practical attack scenarios. Adjust character pools, speed, limits, and devices quickly. Export clear evidence for safer credential planning and reviews.

Calculator

Duplicate characters are counted once.
Use higher values for slower hashing.

Example Data Table

Scenario Length Character Pool Guess Rate Use Case
Short mixed password 8 62 1,000,000,000/s Basic policy comparison
Long mixed password 14 90 1,000,000,000/s Offline hash planning
Online protected account 12 62 Rate limited Lockout review

Formula Used

Character pool: P equals all unique selected characters.

Unknown length: U = total length - known prefix - known suffix.

Search space: N = PU.

Entropy: H = log2(N), or U × log2(P).

Offline rate: R = device speed × devices × efficiency ÷ hash multiplier.

Online rate: R = 1 ÷ (delay seconds + lockout wait ÷ lockout attempts).

Average time: T = (N ÷ 2) ÷ effective rate.

Worst case time: T = N ÷ effective rate.

How To Use This Calculator

  1. Enter the total password length.
  2. Select all possible character groups.
  3. Add custom characters when a policy allows them.
  4. Enter known prefix or suffix text when needed.
  5. Choose offline or online attack modeling.
  6. Set speed, worker count, efficiency, and hash cost.
  7. Use online delay and lockout fields for login systems.
  8. Press Calculate to view the result above the form.
  9. Use CSV or PDF buttons to save the report.

Why This Calculator Matters

A brute force estimate shows how long a password may resist guessing. It treats every guess as a trial. The method is simple, but the result is useful. It links character variety, length, and attack speed. In physics, rate and time often define a process. Password testing uses the same idea. More possible states mean more work.

Security Physics Behind Guessing

A password space is like a large energy landscape. An attacker must search many possible states. Each extra character can multiply that space. A wider alphabet also increases the possible states. The calculator converts those choices into combinations, entropy, and estimated time. It also supports known prefix and suffix text. That helps model leaked patterns or fixed company formats.

What The Results Mean

The total search space is the number of possible passwords. Entropy shows strength in bits. Average crack time assumes the correct password appears halfway through the search. Worst case assumes it appears at the end. Online attack time can be much longer when lockouts or delays apply. Offline attacks can be faster, especially with strong hardware. Use realistic speeds for better planning.

Practical Password Planning

Strong passwords are usually long and unique. Random passphrases can be easier to remember. They can still create a large search space. Avoid reused passwords. Avoid predictable substitutions. Attackers try common patterns first. They do not always search randomly. So a strong estimate does not replace good policy. Use managers, multifactor checks, and breach monitoring.

Audit Use Cases

Teams can use the tool during awareness training. It can compare old rules with modern rules. It can show why short complex passwords may fail. It can also show why longer phrases help. Exported reports support reviews and documentation. CSV files help spreadsheet work. PDF reports help summaries and audits.

Limits Of Estimation

This calculator gives an educational estimate. Real attackers use dictionaries, masks, leaks, and rules. Hash design also matters. Slow password hashing changes the speed sharply. Salts stop direct reuse of many precomputed tables. The best result comes from careful inputs and conservative assumptions. Treat results as planning guidance, not a guarantee. Review every estimate with current threat models. Check real system controls before final decisions always.

FAQs

What is a brute force password estimate?

It is a calculation of possible guesses and time. It assumes every possible password may be tested until the correct one appears.

Is this calculator used for hacking?

No. It is designed for defensive planning, training, and policy review. Do not test systems without clear permission.

Why does length matter so much?

Each extra unknown character multiplies the search space. Longer passwords usually create much larger guessing problems.

What is entropy in this tool?

Entropy is the strength estimate in bits. Higher entropy means more possible states and a harder brute force search.

What is the hash cost multiplier?

It reduces effective guessing speed. Use it when slow password hashing makes each guess more expensive.

When should I use online mode?

Use online mode for login pages with delays, throttling, lockouts, or account protections. It usually lowers guess speed sharply.

Why add known prefix or suffix text?

Some passwords follow known patterns. Fixed text lowers the unknown part, so the estimated search space becomes smaller.

Are the results exact?

No. Real attacks use dictionaries, leaks, and rules. Treat results as a planning estimate, not a guarantee.

Related Calculators

Paver Sand Bedding Calculator (depth-based)Paver Edge Restraint Length & Cost CalculatorPaver Sealer Quantity & Cost CalculatorExcavation Hauling Loads Calculator (truck loads)Soil Disposal Fee CalculatorSite Leveling Cost CalculatorCompaction Passes Time & Cost CalculatorPlate Compactor Rental Cost CalculatorGravel Volume Calculator (yards/tons)Gravel Weight Calculator (by material type)

Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.