Is my password sent to a server?

No. All computation happens entirely in your browser. Your password never leaves your device.

What does "keyspace" mean?

Keyspace is the total number of possible password combinations given the character set size and length. For example, a 6-character lowercase-only password has 26^6 = 308,915,776 possibilities.

Why are bcrypt times so much longer?

bcrypt is a deliberately slow hashing algorithm designed to resist brute-force attacks. Modern GPUs can test billions of MD5 hashes per second but only thousands of bcrypt hashes per second, making cracking exponentially harder.

Does this account for dictionary attacks?

No. This tool models pure brute-force exhaustive search. Dictionary and rule-based attacks can crack common passwords far faster regardless of length.

What hash rate should I choose?

For online accounts (with rate limiting), use Online (10/s). For offline attacks against stolen hashes, choose the algorithm your service uses — MD5/SHA-1 are fastest for attackers; bcrypt/Argon2 are slowest.

How accurate is this estimate?

The estimate assumes an average-case brute-force attack (half the keyspace on average). Actual times vary with hardware, parallelism, and whether the attacker uses optimized wordlists or rules.

Password Crack Time Estimator

Name: Password Crack Time Estimator
Availability: InStock
Author: Nham Vu

Enter a password or configure its properties to see how long it would take an attacker to crack it by brute force.

Password Input

Enter Password

Detected Character Set

Lowercase (26) Uppercase (26) Digits (10) Symbols (32)

Length

Charset Size

Attacker Speed Profile

Enter a password or configure settings, then click Estimate.

Estimated Crack Time

—

(average-case: half the keyspace)

Password Length

—

characters

Charset Size

—

unique symbols

Entropy

—

bits

Keyspace

—

combinations

Crack Time vs. Attacker Profiles

Profile	Hashes/s	Est. Time

Copied!

Summary

Enter a password or configure its properties to see how long it would take an attacker to crack it by brute force.

How it works

Enter a password directly, or manually set the character set and length.
The tool detects which character types are used (lowercase, uppercase, digits, symbols).
It calculates the total keyspace: character set size raised to the power of the password length.
Select an attacker speed profile (online attack, offline MD5, bcrypt, etc.).
The tool divides the keyspace by the hash rate to produce an estimated crack time.
Results are displayed in a human-friendly format alongside a strength rating.

Use cases

Check whether your current passwords are strong enough against modern hardware.
Understand the impact of adding one more character to a password.
Compare the security difference between short complex vs. long simple passwords.
Learn how much slower bcrypt/Argon2 makes offline attacks compared to MD5.
Educate users or students about password security and entropy.
Audit password policies for minimum strength requirements.
Evaluate the effect of using symbols and mixed case on crack time.
Demonstrate why passphrases outperform complex short passwords.

Frequently Asked Questions

Last updated: 2026-06-11 · Reviewed by Nham Vu