How Long Would It Take to Crack Your Password?
See real crack times across attack tiers — from a single GPU to a quantum computer.
The Math Behind Brute Force
Brute-force cracking tries every possible password combination until it finds the right one. The time this takes depends on two factors: the keyspace (total number of possible passwords) and the hash rate (guesses per second).
Keyspace = (character pool size) ^ (password length). For a 12-character password using all 95 printable ASCII characters: 95^12 ≈ 5.4 × 10^23 combinations. At 10 billion guesses per second, that's ~1.7 million years.
GPU Hashrate Benchmarks (2026)
| Algorithm | Single GPU (RTX 5090) | 10-GPU Cluster | Security Level |
|---|---|---|---|
| MD5 | 65 billion/sec | 650 billion/sec | Broken — never use for passwords |
| SHA-1 | 24 billion/sec | 240 billion/sec | Deprecated |
| SHA-256 | 12 billion/sec | 120 billion/sec | Not designed for passwords |
| bcrypt (cost 12) | 184K/sec | 1.84M/sec | Good — recommended minimum |
| Argon2id | ~1K/sec | ~10K/sec | Best — modern standard |
Why the Hash Algorithm Matters More Than You Think
The same password can be "crackable in 3 seconds" or "uncrackable for millennia" depending on how it's stored. MD5 processes 65 billion hashes per second on a single GPU. Bcrypt processes just 184 thousand — that's a 350,000x difference.
This is why security experts recommend bcrypt, scrypt, or Argon2 for password storage. If a service you use is breached and was using MD5 or SHA-1 (sadly still common), change your password immediately. You can generate a strong replacement with our Strong Password Generator.
Rainbow Tables and Salting
Rainbow tables are pre-computed lookup tables mapping hashes back to passwords. An attacker with a rainbow table for MD5 can "crack" any password in the table instantly — no brute force needed.
Salting defeats rainbow tables by appending a random value to each password before hashing. This means the same password produces different hashes for different users, making pre-computed tables useless. All modern password hashing algorithms (bcrypt, Argon2) include built-in salting.
Frequently Asked Questions
How accurate are these crack time estimates?
Our estimates are based on real-world GPU hashrate benchmarks (e.g., NVIDIA RTX 5090) and assume the attacker is doing offline brute-force against the selected hash algorithm. Actual crack times depend on the attacker's hardware, the hashing algorithm used by the service, and whether salting is applied. Our estimates represent a realistic worst-case scenario for each attack tier.
What does "Single GPU" vs "Botnet" mean?
Single GPU: One high-end graphics card (e.g., RTX 5090). This is what a casual attacker or researcher might use. GPU Cluster: 10 GPUs working together, common in professional penetration testing. Botnet: Thousands of compromised machines, representing a nation-state or organized crime level of resources.
Why does the hash algorithm matter?
Different algorithms take different amounts of time to compute. MD5 is extremely fast (~65 billion hashes/sec on one GPU), making passwords stored with MD5 vulnerable. Bcrypt is intentionally slow (~184K hashes/sec), making each guess 350,000x more expensive. This is why modern systems should use bcrypt, scrypt, or Argon2 for password storage.
What about quantum computing?
Grover's algorithm allows quantum computers to search a keyspace in √N operations instead of N. This effectively halves the entropy bits: a 128-bit password becomes ~64-bit against quantum attacks. Our quantum estimate is speculative and assumes a future quantum computer running at 1 billion operations per second — which doesn't exist yet, but may within 10–20 years.
Is my password safe if the crack time shows "millions of years"?
Against brute force, yes. But crack time doesn't protect against phishing, credential stuffing (reused passwords), or social engineering. Always use unique passwords, enable 2FA, and check for leaks with our Leak Checker.
Why is my short password showing "instantly" for all attack types?
Short passwords (under 8 characters) have such a small keyspace that even the slowest algorithms can be cracked in seconds. A 6-character all-lowercase password has only ~28 bits of entropy — about 268 million possibilities, which a single GPU processes in under a second against MD5.