brute force attack calculator - Aaron Graves, PhDude Replica

Brute Force Attack Time Estimator

Estimate how long an exhaustive password search could take based on password length, character set, and attacker speed.

Attack profile (preset)

Password length (characters)

Character sets included

Lowercase (a-z, 26) Uppercase (A-Z, 26) Numbers (0-9, 10) Symbols (~33)

Additional custom characters

Use this if your system allows extra characters beyond the sets above.

Guesses per second (per stream)

Parallel streams / devices

What this brute force attack calculator does

This calculator estimates how long it may take to crack a password using a pure brute force approach. In a brute force attack, an attacker tries every possible combination until the correct password is found. The estimate depends on three major variables:

Password length (how many characters).
Character set size (lowercase only vs. mixed + symbols).
Guessing speed (how many attempts can be tested each second).

The core formula

1) Keyspace size

The total number of possible passwords (keyspace) is:

keyspace = charset^length

Example: if charset is 62 and length is 12, keyspace is 62¹².

2) Worst case vs. average case

Worst case: attacker tries every candidate = full keyspace.
Average case: attacker finds password halfway through ≈ keyspace / 2.

3) Time to crack

time (seconds) = guesses needed / guesses per second

This is a simplified model, but it gives a useful order-of-magnitude estimate.

Why results vary so much

A one-character increase in length can create a massive jump in difficulty because the search space grows exponentially. Likewise, adding uppercase letters, numbers, and symbols increases the character set and multiplies the total combinations.

In practical security terms: length usually gives the biggest gain, and complexity adds an additional layer of resistance.

Online vs. offline brute force

Not all attacks are equal:

Online attacks target login forms and are often rate-limited, blocked by lockout policies, CAPTCHAs, MFA, and IP reputation controls.
Offline attacks happen after password hashes are stolen. Here, attackers can test guesses much faster, especially with GPUs/ASICs.

This calculator is most useful for understanding upper-bound brute force speed in an offline context. Real-world online login protection can make attacks dramatically slower.

How to create brute-force-resistant passwords

Use long passphrases (14+ characters is a strong starting point).
Avoid common words, patterns, keyboard walks, and reused passwords.
Use a password manager to generate random unique credentials.
Enable multi-factor authentication (MFA).
For organizations: enforce strong hashing (bcrypt, scrypt, Argon2) and rate-limiting.

Important limitations of this estimator

This tool assumes random password selection and exhaustive search. In reality, attackers often use smarter methods first (dictionary attacks, leaked password lists, rules-based mutations). That means weak or predictable passwords can be cracked far faster than pure brute force estimates suggest.

Use this calculator for educational planning, policy review, and awareness—not as an absolute guarantee of safety.