Brute Force Time Estimator

Estimate how long a brute force attack would take to crack a password given its length, character set, and the attacker's guessing speed.

Fill in the fields above and click Estimate Time.

Formula

Total Combinations: C = charsetlength

Worst-case time (seconds): T = C ÷ speed

Average-case time (seconds): T = C ÷ (2 × speed)

Password Entropy (bits): H = length × log2(charset)

Large values are computed using logarithms (T = 10log10(C) − log10(speed)) to avoid floating-point overflow.

Assumptions & References

  • Brute force tries every possible combination sequentially; worst case exhausts all C combinations, average case finds the password halfway through.
  • Attack speed presets are based on real-world benchmarks: online rate-limited services (~1 k/s), fast online services (~1 M/s), single high-end GPU offline attack on bcrypt/SHA-256 (~1 B/s), and large GPU clusters (~100 B/s). Actual speeds vary by hash algorithm.
  • Character set sizes: digits (10), lowercase (26), mixed-case (52), alphanumeric (62), alphanumeric + symbols (72), all printable ASCII (95).
  • Entropy H = length × log₂(charset) measures the theoretical unpredictability in bits (NIST SP 800-63B).
  • This calculator assumes a uniformly random password. Dictionary words or predictable patterns are cracked far faster.
  • Reference: Florêncio, D. & Herley, C. (2007). A Large-Scale Study of Web Password Habits. WWW 2007.
  • Reference: NIST SP 800-63B — Digital Identity Guidelines: Authentication and Lifecycle Management.

More Calculators

Browse All 1861 Free Calculators at National Calculator Authority

In the network

Network