Password Crack Time Calculator
A random password's brute-force strength depends on how many characters it has and how large the character set is. This calculator works out the keyspace, the entropy in bits, and the average time an attacker needs to crack it at a chosen guess rate. Set the password length, the character-set size and the attacker's guesses per second to compare a fast unsalted hash with a properly stretched one. The estimate assumes a truly random password.
Password crack time formula
keyspace = charset^length
entropy bits = length * log2(charset)
worst-case time = keyspace / guess rate
average time = (keyspace / 2) / guess rate
Every character multiplies the number of possibilities by the character-set size, so the keyspace grows exponentially with length. Entropy is the base-2 logarithm of the keyspace. Brute force searches at the attacker's rate; on average the password falls after half the space is tried.
Worked example
A 12-character password over the full 95-character printable ASCII set at 1 trillion (10^12) guesses per second. Entropy = 12 times log2(95) = 78.84 bits. Keyspace = 95^12, about 5.40 times 10^23 combinations. Worst-case time = 5.40e23 / 1e12 = 5.40e11 seconds, roughly 17,000 years. Average time is half that, about 8,500 years.
Password crack time: frequently asked questions
How is password crack time estimated?
First compute the keyspace as (character-set size) raised to the password length. The entropy in bits is the base-2 logarithm of that. Average brute-force time is half the keyspace divided by the attacker's guesses per second, since on average the password is found after searching half the possibilities.
What character-set size should I use?
Count the symbols the password could contain: 10 for digits only, 26 for lowercase letters, 52 for mixed case, 62 for letters and digits, and about 95 for all printable ASCII including symbols. A larger set raises entropy per character.
What guess rate is realistic for an attacker?
It depends entirely on the hashing method. A fast unsalted hash like raw MD5 can be guessed at billions or trillions per second on GPUs, while a properly stretched hash (PBKDF2, bcrypt, Argon2) may allow only thousands per second. Set the rate to match the defence you are modelling.
Does entropy guarantee a strong password?
Entropy measures strength only if the password is truly random over the assumed character set. A predictable password (a dictionary word, a date, a keyboard pattern) has far less effective entropy than its length suggests, because attackers try likely candidates first.
Sources and references
- NIST Computer Security Resource Center: SP 800-63B, digital identity and password guidance.
- NIST Computer Security Resource Center: cryptographic standards and guidelines.
- Formula: standard brute-force keyspace and Shannon entropy of a uniform character set.
Reviewed by the CalculatorHub team, edited by James Graham, 19 June 2026. See our methodology.