Login Security Calculator
Estimate how long a brute-force attack could take based on password complexity, login throttling, lockout policy, and MFA.
Tip: online login systems are often 1-10 attempts/second or lower due to rate limiting.
What Is a Login Calculator?
A login calculator is a practical tool for estimating the security of an account login process. Instead of guessing whether a password policy is “good enough,” it gives a model-based estimate of attack resistance. The calculator on this page focuses on one of the most common real-world threats: brute-force guessing.
In plain terms, it answers questions like: How many possible passwords exist? How fast can an attacker try them? and How much do lockout rules or MFA help? These estimates can guide better policy decisions for personal accounts, teams, and production applications.
How the Calculator Works
1) Password Search Space
The base estimate starts with password length and character set size. If a password has length L and uses C possible characters, the search space is:
Combinations = CL
For lowercase + uppercase + numbers, C = 62. Add symbols and the space grows further. Length has an exponential effect, so adding even a few characters is often more impactful than adding complexity alone.
2) Guessing Speed
The next factor is attempts per second. Online systems are constrained by API limits, network latency, WAFs, and monitoring controls. An attacker who can only make a few attempts per second faces a dramatically slower attack than someone attacking an offline hash database.
3) Lockout Policy
Account lockout controls reduce the effective guessing rate. For example, if a user is locked out after five failed attempts for fifteen minutes, an attacker spends most of their time waiting rather than guessing. This can turn a fast attack into an impractical one.
4) MFA Impact
Multi-factor authentication adds a second barrier beyond the password. Even if a password is guessed, the attacker still needs a second factor (TOTP, hardware key, push approval, etc.). In risk terms, MFA often provides one of the biggest security improvements per unit of effort.
How to Interpret Your Result
- Very Weak / Weak: high account takeover risk; improve length and rate limiting immediately.
- Fair: better, but still vulnerable under sustained attack campaigns.
- Strong: suitable for many consumer and internal systems when combined with monitoring.
- Very Strong: difficult to brute-force in realistic online attack conditions, especially with MFA.
Example Security Improvements
- Increase minimum password length from 8 to 12+ characters.
- Require passphrases and block commonly breached passwords.
- Enable progressive delays and lockout thresholds on failed logins.
- Roll out MFA for all privileged and high-risk accounts first.
- Alert on unusual login patterns (IP reputation, impossible travel, repeated failures).
Common Mistakes Teams Make
Relying only on complexity rules
“Must include one symbol” policies can produce predictable password patterns. Length and breached-password screening generally offer better protection.
Ignoring online rate limits
Even a strong password policy can be undermined if attackers can attempt unlimited logins. Security controls should include throttling, lockouts, and anomaly detection.
Treating MFA as optional for admins
Privileged accounts are prime targets. MFA should be mandatory for admins, finance users, and any role with access to sensitive data or critical systems.
Final Thoughts
A login calculator does not replace penetration testing or full threat modeling, but it provides a fast, data-backed way to improve authentication posture. Use it as a decision aid: test current policy, simulate changes, and choose controls that meaningfully reduce account compromise risk.