Password Brute Force Calculator

Calculator

Total password length

Known prefix characters

Known suffix characters

Guesses per second per unit

Parallel hardware units

Success probability tested (%)

Hash delay per guess (ms)

Attempts before lockout

Lockout delay (minutes)

Power draw (watts)

Energy price per kWh

Custom characters

Include lowercase letters

Include uppercase letters

Include digits

Include symbols

Use custom characters only

Apply online lockout model

Formula Used

Character space: C = number of unique allowed characters.

Unknown length: Lu = total length - known prefix - known suffix.

Search space: N = C^Lu.

Entropy: H = Lu × log₂(C).

Required guesses: G = N × selected success probability.

Offline time: T = G / effective guesses per second.

Online time: T ≈ G × (1 / rate + lockout delay / attempts before lockout).

Energy: joules = watts × seconds. kWh = joules / 3,600,000.

How to Use This Calculator

Enter the total password length first. Add known prefix or suffix values only when part of the password is already known.

Select the character groups that match the password policy. Add custom characters when a special alphabet is used.

Enter the guess rate for one hardware unit. Then add the number of parallel units. Use hash delay when each guess is slowed by password hashing.

Enable online lockout when a login page limits attempts. Enter the allowed attempts and delay time.

Press Calculate. The result appears above the form. Use CSV or PDF buttons to export the same result.

Example Data Table

Password pattern	Length	Character set	Approximate entropy	Average guesses
Lowercase only	8	26	37.60 bits	1.04 × 10^11
Lowercase and digits	10	36	51.70 bits	1.83 × 10^15
Printable mixed characters	12	94	78.66 bits	2.38 × 10^23
Long printable passphrase	16	94	104.88 bits	1.86 × 10^31

Understanding Password Brute Force Physics

A brute force estimate is a search space problem. It also has a physical side. Every guess needs time, electrical power, and hardware. This calculator joins those ideas in one safe model. It does not break passwords. It shows how password length and character choices change risk. It also shows how slower hashing, lockouts, and parallel devices change the final time.

Why Entropy Matters

Entropy is measured in bits. More bits mean more possible passwords. A six character lowercase password has far fewer states than a sixteen character mixed password. The difference grows exponentially. One added character can multiply the search space by the size of the allowed alphabet. That is why longer passphrases often beat short complex strings. They are easier to remember and harder to search.

Physics Behind Guessing

Computers do not guess for free. Each trial uses energy. A fast offline attack may use many processors. Those processors draw power and produce heat. The model estimates joules and kilowatt hours from the selected wattage and time. This is useful for classroom physics, security planning, and audit reports. It makes the cost of computation easier to see.

Online And Offline Conditions

Offline attacks can be extremely fast when hashes are weak. Strong password hashing adds delay to every guess. Online attacks are different. A website can limit attempts. It can add lockout delays. It can require extra verification. These controls reduce the effective guessing rate. The calculator lets you compare both conditions without giving attack instructions.

Reading The Result

The result gives search space, entropy, required guesses, time, and energy. The selected success probability means the portion of the search space tested. Fifty percent is a common average case. One hundred percent is a worst case. Very large answers are shown in scientific notation. That keeps the page readable.

Good Defensive Use

Use this tool to choose safer password policies. Test passphrase length. Compare hashing delays. Show why reuse is dangerous. Export the result for notes. Treat every value as an estimate. Real systems vary. Hardware, throttling, salts, and password leaks can change outcomes. Strong unique passwords and multi factor authentication remain better protection. Document assumptions before sharing any final security conclusion today.

FAQs

What does brute force time mean?

It is the estimated time needed to test a chosen part of the possible password space. It depends on length, character set size, guessing speed, and throttling.

Is this calculator for hacking?

No. It is designed for defensive estimates, education, and authorized audits. It should help users make stronger password choices and better policies.

Why does password length matter?

Each extra unknown character multiplies the search space by the character set size. This exponential growth makes long passwords much harder to guess.

What is entropy in this tool?

Entropy is the log base two measure of possible password states. Higher entropy means more uncertainty and a larger search space.

What is guesses per second?

It is the number of password guesses one hardware unit can test each second. Offline rates are often much higher than online login rates.

How does lockout change the result?

Lockout adds waiting time after a set number of attempts. This lowers the effective rate and can make online guessing far slower.

Why include energy estimates?

Energy shows the physical cost of computation. It converts time and power draw into joules, kilowatt hours, and an optional money estimate.

Are the results exact?

No. They are estimates. Real results depend on hardware, password leaks, hashing design, salts, throttling, and user behavior.