Password Cracking Simulator
See how quickly weak hashes can be brute-forced in your browser. All computation runs locally—nothing is sent to any server.
Algorithm
Why hashing matters
Passwords are usually not stored directly. They are stored as hashes, and login checks compare hash-to-hash. Fast, outdated hashing combined with predictable passwords is much easier to crack.
Fast hashes like MD5 and SHA-1 allow billions of guesses per second on a single machine, so short or common passwords are cracked quickly. Memory-hard functions like bcrypt and Argon2 are designed to be slow and memory-intensive, making brute force much harder.
What is password cracking?
Cracking means trying guesses and comparing their hashes with a target hash. If the hashes match, the guess is the original password.
- 1Start with a target hash (the value you want to crack).
- 2Take a guess (for example: password123).
- 3Hash that guess with the same algorithm used to produce the target hash.
- 4Compare the result to the target hash.
- 5If they match, the password is found.
How attackers guess passwords
Dictionary attacks — Try very common passwords first. Fast and often effective.
Rule-based attacks — Modify common words in realistic ways, like Password1! or Summer2024.
Brute force — Try all combinations in a defined range (charset + max length).
Why size explodes quickly
Small changes in max length or character set massively increase total combinations and cracking time.
Each added character multiplies the search space by the charset size. With a realistic set of 89 symbols, every extra position means x89, not +89.
4 digits→10,0008 chars a-z A-Z 0-9 + symbols→6,016,120,510,000,000That jump from 10,000 to ~6 quadrillion combinations is why random 8+ character passwords are dramatically harder to brute-force than short PINs.
Search space growth by length (realistic charset: a-z, A-Z, 0-9, common symbols (89 chars))
Large values are shortened on mobile for readability.
Rough time estimates below assume an ideal offline attack where the attacker can test guesses continuously. Real-world cracking time can be slower or faster depending on hardware, algorithm implementation, and whether the password is found early. They also assume fully random passwords, which is usually not the case in real breaches. These numbers are meant to show scale, not exact predictions.
Rough crack-time estimate for this section (selected algorithm: SHA256)
Mobile CPU (rough)
<1 s
Powerful GPU cluster (rough)
<1 s
Mobile CPU (rough)
<1 s
Powerful GPU cluster (rough)
<1 s
Mobile CPU (rough)
8 s
Powerful GPU cluster (rough)
<1 s
Mobile CPU (rough)
12 min
Powerful GPU cluster (rough)
<1 s
Mobile CPU (rough)
17 h
Powerful GPU cluster (rough)
<1 s
Mobile CPU (rough)
64 d
Powerful GPU cluster (rough)
8 s
Mobile CPU (rough)
15.6 y
Powerful GPU cluster (rough)
12 min
Mobile CPU (rough)
1387 y
Powerful GPU cluster (rough)
18 h
Mobile CPU (rough)
123441 y
Powerful GPU cluster (rough)
68 d
Mobile CPU (rough)
10986287 y
Powerful GPU cluster (rough)
16.5 y
Mobile CPU (rough)
977779565 y
Powerful GPU cluster (rough)
1467 y
Mobile CPU (rough)
87022381323 y
Powerful GPU cluster (rough)
130534 y
| Length | Combinations | Mobile CPU (rough) | Powerful GPU cluster (rough) |
|---|---|---|---|
| L1 | 89 | <1 s | <1 s |
| L2 | 7,921 | <1 s | <1 s |
| L3 | 704,969 | 8 s | <1 s |
| L4 | 62,742,241 | 12 min | <1 s |
| L5 | 5,584,059,449 | 17 h | <1 s |
| L6 | 496,981,290,961 | 64 d | 8 s |
| L7 | 44,231,334,895,529 | 15.6 y | 12 min |
| L8 | 3,936,588,805,702,081 | 1387 y | Home PC18 h |
| L9 | 350,356,403,707,485,200 | 123441 y | 68 d |
| L10 | 31,181,719,929,966,182,000 | 10986287 y | Big cluster16.5 y |
| L11 | 2,775,173,073,766,990,000,000 | 977779565 y | 1467 y |
| L12 | 246,990,403,565,262,140,000,000 | 87022381323 y | 130534 y |
Heuristics: L=8 ≈ home-PC inflection; L=10 ≈ costly even for GPU clusters.
The attack lifecycle: why leaked hashes matter
Attackers usually do not guess passwords on a live login page. They target leaked databases and crack hashes offline.
The breach: A user table is leaked. Passwords are typically stored as hashes (not plain text), so attackers extract those hashes from the dump. Here is the link to our Breach Test: Launch Breach Test
The offline advantage: Once hashes are stolen, attackers do not need the website anymore. They can test guesses on their own hardware as fast as it allows, without online lockout limits.
Salt defense: A unique salt per password forces attackers to crack each account separately. This blocks one-shot wins where a single common password would otherwise unlock many users at once.
Why cracks fail: Passwords resist cracking when they are long, less predictable, and outside the attacker’s assumed charset or rules, especially when protected by slower password hashing methods. See also: Strong passwords & NIST SP 800-63B-4 (2025) You can also try our Password Hashing page—hashes are computed entirely in your browser (MD5 through Argon2id).
Using this simulator
This simulator demonstrates real cracking logic: generate guesses, hash them, and compare.
No match found?
- Password is longer than your max length.
- Password uses characters outside your selected charset.
- Hash or algorithm does not match the original.
Need to generate a hash first?
Open Password Hashing ToolAttacker's Toolkit (2026 edition)
In modern attacks, guessing is an automated, high-speed process powered by GPU clusters and model-driven pattern analysis.
1. Hashcat: the GPU beast
Hashcat Built for raw speed with massive parallel GPU workloads. Older algorithms can be tested at extreme rates on modern hardware.
Attackers also use mask attacks—for example, Upper + 6 Lower + 2 Digits—to target known password policy patterns instead of blind brute force.
2. John the Ripper: the human emulator
John the Ripper Excels at rule-based cracking and transforms base words into thousands of realistic variants that mirror how people actually modify passwords.
Hybrid modes combine dictionary logic with brute force, which is why many "complex-looking" passwords still fall quickly.
3. AI-driven cracking (PassGAN-style)
Newer approaches use neural networks trained on leaked password corpora. Instead of fixed substitution rules, models learn human password habits and generate high-probability guesses. The original PassGAN approach is described in Hitaj et al., arXiv:1709.00440.
Reality check
Cloud cracking makes large-scale attacks cheap and automated. Short passwords can be tested so quickly that "not being a high-value target" is no longer strong protection.
These tools are standard in professional security testing and also used by attackers.