Brute Force Time Calculator

Reviewed by the CalculatorHub team, edited by James Graham. Formula: combinations / guesses per second. Last verified 15 June 2026.

Brute-force time is the theoretical time required to try every possible combination of characters in a credential until the correct one is found. The total search space is charset size raised to the power of the credential length. On average, the correct guess falls halfway through the search, so expected crack time equals total combinations divided by twice the guessing rate. This tool lets you enter the charset size, credential length, and attacker guessing rate to estimate crack time in a human-readable format, from seconds to billions of years.

Charset size (symbols) 26=lowercase, 62=mixed+digits, 94=all printable ASCII

Credential length (characters)

Guesses per second 1e9 = 1 billion (offline MD5); 1e4 = 10,000 (bcrypt)

Total combinations

0.00

Expected crack time

0.00

Brute-force time formula

Combinations = charset^length
Expected time (s) = combinations / (2 × guesses/sec)

The factor of 2 reflects the average-case assumption: on average the attacker finds the correct credential halfway through an exhaustive search. Worst-case time is the full combinations / guesses per second.

Typical guessing rates by scenario

Online attack against rate-limited web form: 10 to 1,000 guesses/second.
Offline attack against bcrypt (cost 12): approximately 3,000 to 20,000 hashes/second per GPU.
Offline attack against SHA-256 (unsalted): hundreds of millions per second per GPU.
Offline attack against MD5 (unsalted): 10 to 100 billion hashes/second per GPU.
Dedicated ASIC hardware can exceed one trillion operations per second for weak hash functions.

Brute force time calculator: frequently asked questions

How is brute-force crack time calculated?

Time equals the total number of possible combinations divided by the attacker's guessing rate (guesses per second). On average, the correct guess is found halfway through the search space, so expected time is combinations / (2 x guesses per second).

How many guesses per second can a modern GPU achieve?

A high-end GPU cracking bcrypt (cost 10) achieves roughly 20,000 hashes per second. Against unsalted MD5, the same hardware can exceed 10 billion hashes per second. The algorithm and hardware together determine the guessing rate.

What charset size should I use for a typical password?

Lowercase letters only: 26. Lowercase plus digits: 36. Mixed case plus digits: 62. Mixed case, digits, and 32 special characters: 94. Using all printable ASCII characters gives 95 possible symbols per position.

Does this calculator assume the attacker is online or offline?

This calculator uses whatever guesses-per-second rate you enter. For online attacks against rate-limited services, assume 10 to 1,000 guesses per second. For offline attacks against hashed credentials, assume millions to billions per second depending on the hash function.

Why does adding one character to a password have such a large effect?

Each additional character multiplies the search space by the charset size. Adding one character to a 94-charset password multiplies the search space by 94, increasing crack time by a factor of 94. This exponential growth is why length matters more than complexity.

Official sources

NIST SP 800-63B Digital Identity Guidelines (Section 5, memorized secrets): pages.nist.gov/800-63-3/sp800-63b.html.
NIST SP 800-132 Recommendation for Password-Based Key Derivation: csrc.nist.gov.

Reviewed by the CalculatorHub team, edited by James Graham, 15 June 2026. See our methodology.