Brute Force Calculator
Calculate exactly how long a brute-force attack would take to crack a password. Adjust the password length, character types, and attack speed to explore the maths behind password security.
How Brute Force Attacks Work
A brute-force attack is the most straightforward password cracking method: it systematically tries every possible combination of characters until it finds the correct one. There's no cleverness involved — just raw computing power.
The time a brute-force attack takes depends on two variables:
- The number of possible combinations — determined by password length and the character pool (lowercase, uppercase, digits, symbols)
- The attacker's speed — how many guesses they can make per second, which depends on their hardware and the hashing algorithm used
The formula is simple: Crack Time = Total Combinations / Guesses Per Second
Since the attacker doesn't know the password length or character types, they typically start with the shortest, simplest passwords and work up. On average, they'll need to try half the total combinations before finding the right one.
Attack Speeds in the Real World
The speed of a brute-force attack varies dramatically depending on the context:
Online Attacks (1,000 — 1,000,000/sec)
When attacking a live website login page, the attacker is limited by network latency and rate limiting. Most modern sites lock accounts or add CAPTCHAs after a few failed attempts, making online brute force largely impractical — unless the target has no protections.
Offline Attacks — Single GPU (1 billion/sec)
If an attacker obtains a database of password hashes (from a data breach), they can crack them offline with no rate limiting. A single modern GPU can test around 1 billion MD5 hashes per second, or around 100,000 bcrypt hashes per second.
Offline Attacks — Multi-GPU (10 billion/sec)
A dedicated cracking rig with multiple high-end GPUs can achieve 10+ billion guesses per second against weak hashing algorithms. This is the speed our password checker uses as a baseline — it represents a realistic, well-funded attacker.
Nation-State Level (1 trillion+/sec)
Government agencies and well-resourced organisations could theoretically deploy clusters of hardware capable of trillions of guesses per second. At this level, even 10-character passwords with full character diversity can be cracked relatively quickly.
Brute Force Reference Table
This table shows estimated crack times for different password lengths and character sets at 10 billion guesses per second:
| Length | Lowercase Only (26) | Mixed Case (52) | + Digits (62) | All Types (95) |
|---|---|---|---|---|
| 4 | Instantly | Instantly | Instantly | Instantly |
| 6 | Instantly | ~2 sec | ~6 sec | ~1 min |
| 8 | ~21 sec | ~15 min | ~3.5 hours | ~6.5 hours |
| 10 | ~4 hours | ~28 days | ~2.5 years | ~190 years |
| 12 | ~122 days | ~206 years | ~9,600 years | ~17M years |
| 14 | ~227 years | ~556K years | ~37M years | ~15B years |
| 16 | ~153K years | ~1.5B years | ~143B years | ~140T years |
Why Brute Force Isn't the Only Threat
While brute force gives a useful baseline for measuring password strength, real-world attacks are often smarter:
- Dictionary attacks try common words and passwords first, cracking weak passwords in seconds regardless of length calculations
- Rule-based attacks apply common modifications (capitalise first letter, add numbers, substitute characters) to wordlists
- Credential stuffing uses passwords stolen from breached sites to try logging into other services
- Phishing tricks users into entering their password on fake sites — no cracking needed at all
This is why a good password needs to be both long and random — not just resistant to brute force, but also absent from any wordlist. Learn more about what makes a good password or check out our password strength tips.
Test Your Actual Password
See how your real password performs — not just a theoretical length. Our checker analyses your actual input, 100% privately.
Check Password Strength