What is the Password Crack Time Calculator?
This tool estimates how long an attacker would need to brute-force your password by trying every possible combination. It is based on the password's length, the size of the character set it draws from, and how many guesses per second the attacker can perform. The result is a rough, model-based estimate — real-world attacks often use dictionaries and patterns that crack weak passwords far faster.
How to use it
Enter the password length, tick every character type your password uses (lowercase, uppercase, digits, symbols), and set the attacker's guess rate. A modern GPU rig might do 10 billion (10,000,000,000) fast-hash guesses per second, while a slow hash like bcrypt may limit an attacker to thousands per second.
The formula explained
The total number of combinations is the character-set size C raised to the power of the length L: \(C^{L}\). Dividing by the guess rate g gives the worst-case time. Because, on average, the correct password is found after searching half the space, we divide by two:
$$t = \frac{C^{L}}{2g}$$Entropy in bits is \(L \times \log_{2} C\) — every extra bit doubles the search effort.
Worked example
An 8-character lowercase password uses a 26-character set, so there are \(26^{8} = 208{,}827{,}064{,}576\) combinations. Against an attacker doing 1 billion guesses/second, the average crack time is
$$\frac{208{,}827{,}064{,}576}{2 \times 1{,}000{,}000{,}000} \approx 104.4 \text{ seconds}$$Adding uppercase, digits and symbols pushes the charset to 94 and dramatically increases the time.
Character Set Sizes
The base \(C\) of the formula is the count of distinct characters an attacker must consider per position. It is the sum of the sizes of every character class your password could draw from. Common combinations:
| Character set | Symbol | Size |
|---|---|---|
| Lowercase letters (a–z) | [a-z] | 26 |
| Uppercase letters (A–Z) | [A-Z] | 26 |
| Digits (0–9) | [0-9] | 10 |
| Common ASCII symbols | [sym] | 32 |
| Lowercase + digits | [a-z0-9] | 36 |
| Lowercase + uppercase | [a-zA-Z] | 52 |
| Letters + digits (alphanumeric) | [a-zA-Z0-9] | 62 |
| All four classes | [a-zA-Z0-9 sym] | 94 |
The 32 "common symbols" reflect the printable ASCII punctuation set !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ plus the space, which together with the 62 alphanumerics give the standard 94-character printable ASCII pool.
Interpreting Your Crack Time
Crack time and password entropy measure the same thing from two angles. Entropy in bits for a random password is \(H = L\log_2 C\); each added bit doubles the number of guesses required, and therefore doubles the average crack time at a fixed guess rate. A rough reading of the bit count:
- Under 40 bits — weak. This range (e.g. an 8-character lowercase password at \(\approx 37.6\) bits) falls in seconds to days against fast offline hardware and should not protect anything sensitive.
- ~60–70 bits — moderate. Resists casual offline attacks but is within reach of well-resourced GPU clusters over time.
- 80 bits and above — strong. Considered infeasible to brute-force with current and foreseeable technology; a 12-character all-class password reaches roughly 78 bits and a 16-character one about 105 bits.
NIST's digital identity guidance (SP 800-63B) emphasizes length over forced complexity rules, recommends allowing long passphrases, and advises screening passwords against breach and dictionary lists rather than mandating mixed character classes — precisely because the brute-force time below assumes a truly random password.
Important caveat: these figures are an upper bound. The formula assumes every character is chosen uniformly at random across the full set. Real attackers do not start from "aaaaaaaa" — they run dictionaries, leaked-password lists, keyboard patterns, names, dates and predictable substitutions first. A password like P@ssw0rd123 has a large nominal charset and length but is cracked almost instantly because it appears in wordlists. Treat the calculated time as meaningful only for passwords generated by a random process, not chosen by a human.
This is general security information, not a guarantee of safety for any specific account; pair strong unique passwords with multi-factor authentication.
FAQ
Why divide by two? Brute force finds the password somewhere within the keyspace; on average that is halfway through, so the expected time is half the maximum.
Is this a guarantee? No. The calculator assumes a truly random password. Reused, dictionary, or pattern-based passwords are cracked far faster regardless of length.
What charset size should I pick? Tick only the character types actually present. Symbols here are assumed to be a set of 32 common punctuation characters.
