Brute Force Attack Time Calculator
Estimate how long it would take to crack a password using a brute force attack, based on password length, character set size, and the attacker's guessing speed.
Fill in the fields above and click Calculate.
Formula
Total Combinations: C = NL
Worst-Case Time: Tworst = C / S
Average Time: Tavg = C / (2 × S)
Password Entropy: E = L × log2(N) (bits)
Where:
- N = character set size (number of possible characters)
- L = password length (number of characters)
- S = attack speed (guesses per second)
- C = total possible combinations
The worst-case time assumes the attacker must try every possible combination. On average, the correct password is found halfway through the search space, hence the division by 2.
Assumptions & References
- Assumes a purely random password drawn uniformly from the character set — dictionary words or patterns are cracked far faster.
- Attack speeds are approximate: online attacks are throttled by network latency and lockout policies; offline attacks against weak hashing algorithms (MD5, SHA-1) can exceed 100 billion/sec on modern GPU clusters.
- Full Printable ASCII (95 characters) covers characters with ASCII codes 32–126.
- Password entropy formula: NIST SP 800-63B — Digital Identity Guidelines.
- GPU cracking benchmarks: Hashcat benchmark results on RTX 4090 (~164 GH/s for MD5).
- A minimum of 128 bits of entropy is recommended for long-term cryptographic security (NIST SP 800-57).
- This calculator models brute force only. Real-world attacks often use dictionaries, rule-based mutations, or rainbow tables, which are significantly faster.