Brute-Force Time Estimator
How long a password survives exhaustive guessing — from a throttled login to a GPU cluster.
How it works
The number of possible passwords — the keyspace — is the character pool raised to the length. An exhaustive attacker works through that space; on average they hit the right one after trying half of it. So the estimated time is half the keyspace divided by how many guesses per second the attacker can make. The table spans realistic rates: a throttled login manages about a hundred guesses a second, while an offline attacker with GPUs on a fast hash such as MD5 or SHA-1 reaches ten billion or more, and a cluster far beyond that. The gap between those rows is the whole argument for slow password hashes and for length. Remember the figure is an upper bound — it assumes the password is random, so a real one is found sooner.
FAQ
How is brute-force time estimated?
The keyspace is pool^length. On average an attacker finds the password after trying half
of it, so time = half the keyspace ÷ the guess rate. We show that time across several rates, from a
throttled login at 100 guesses/second to a GPU cluster at 10¹⁴.
Why do the fast rates matter if my login is rate-limited?
Online rate limits only protect you while the attacker guesses against your live login. If a password database leaks, they crack the stolen hashes offline at millions to billions of guesses per second — which is why a password that's fine online can still be recovered from a breach. A slow hash (bcrypt/argon2) is what keeps that row survivable.
Is a real password as safe as this says?
No — treat the result as a best case. It assumes brute force over a truly random password. Real attackers run dictionaries, breach lists, and pattern rules first, so a human-chosen password falls far faster than exhaustive search would suggest. Test a specific one in the strength checker.
From the channel
This Mac Malware Waits for the Right Password
Watch on The Exploit HQ — cyber threat intel in 60 seconds ▸
weekly kev brief
Patch what's actually being exploited.
One email a week: the vulnerabilities under active attack, prioritized — no noise.
Free. No spam. Unsubscribe anytime. Delivered by Beehiiv.