Brute Force Time Estimator

Estimate how long a brute force attack would take to crack a password given its length, character set, and the attacker's guessing speed.

Password Length (characters)

Character Set Size

Attack Speed (guesses per second)

Attack Scenario

Fill in the fields above and click Estimate Time.

Total Combinations: C = charset^length

Worst-case time (seconds): T = C ÷ speed

Average-case time (seconds): T = C ÷ (2 × speed)

Password Entropy (bits): H = length × log₂(charset)

Large values are computed using logarithms (T = 10^{log₁₀(C) − log₁₀(speed)}) to avoid floating-point overflow.

Brute force tries every possible combination sequentially; worst case exhausts all C combinations, average case finds the password halfway through.
Attack speed presets are based on real-world benchmarks: online rate-limited services (~1 k/s), fast online services (~1 M/s), single high-end GPU offline attack on bcrypt/SHA-256 (~1 B/s), and large GPU clusters (~100 B/s). Actual speeds vary by hash algorithm.
Character set sizes: digits (10), lowercase (26), mixed-case (52), alphanumeric (62), alphanumeric + symbols (72), all printable ASCII (95).
Entropy H = length × log₂(charset) measures the theoretical unpredictability in bits (NIST SP 800-63B).
This calculator assumes a uniformly random password. Dictionary words or predictable patterns are cracked far faster.
Reference: Florêncio, D. & Herley, C. (2007). A Large-Scale Study of Web Password Habits. WWW 2007.
Reference: NIST SP 800-63B — Digital Identity Guidelines: Authentication and Lifecycle Management.

In the network