Password Cracking Simulator

See how quickly weak hashes can be brute-forced in your browser. All computation runs locally—nothing is sent to any server.

Algorithm

Why hashing matters

Passwords are usually not stored directly. They are stored as hashes, and login checks compare hash-to-hash. Fast, outdated hashing combined with predictable passwords is much easier to crack.

Fast hashes like MD5 and SHA-1 allow billions of guesses per second on a single machine, so short or common passwords are cracked quickly. Memory-hard functions like bcrypt and Argon2 are designed to be slow and memory-intensive, making brute force much harder.


What is password cracking?

Cracking means trying guesses and comparing their hashes with a target hash. If the hashes match, the guess is the original password.

  1. 1Start with a target hash (the value you want to crack).
  2. 2Take a guess (for example: password123).
  3. 3Hash that guess with the same algorithm used to produce the target hash.
  4. 4Compare the result to the target hash.
  5. 5If they match, the password is found.

How attackers guess passwords

Fast

Dictionary attacks — Try very common passwords first. Fast and often effective.

Common

Rule-based attacks — Modify common words in realistic ways, like Password1! or Summer2024.

Expensive

Brute force — Try all combinations in a defined range (charset + max length).


Why size explodes quickly

Small changes in max length or character set massively increase total combinations and cracking time.

Each added character multiplies the search space by the charset size. With a realistic set of 89 symbols, every extra position means x89, not +89.

4 digits10,000
8 chars a-z A-Z 0-9 + symbols6,016,120,510,000,000

That jump from 10,000 to ~6 quadrillion combinations is why random 8+ character passwords are dramatically harder to brute-force than short PINs.

Search space growth by length (realistic charset: a-z, A-Z, 0-9, common symbols (89 chars))

L=189
L=27,921
L=3704,969
L=46.27e+7
L=55.58e+9
L=64.97e+11
L=74.42e+13
L=83.94e+15
L=93.50e+17
L=103.12e+19
L=112.78e+21
L=122.47e+23

Large values are shortened on mobile for readability.

Rough time estimates below assume an ideal offline attack where the attacker can test guesses continuously. Real-world cracking time can be slower or faster depending on hardware, algorithm implementation, and whether the password is found early. They also assume fully random passwords, which is usually not the case in real breaches. These numbers are meant to show scale, not exact predictions.

Rough crack-time estimate for this section (selected algorithm: SHA256)

L189

Mobile CPU (rough)

<1 s

Powerful GPU cluster (rough)

<1 s

L27,921

Mobile CPU (rough)

<1 s

Powerful GPU cluster (rough)

<1 s

L3704,969

Mobile CPU (rough)

8 s

Powerful GPU cluster (rough)

<1 s

L46.27e+7

Mobile CPU (rough)

12 min

Powerful GPU cluster (rough)

<1 s

L55.58e+9

Mobile CPU (rough)

17 h

Powerful GPU cluster (rough)

<1 s

L64.97e+11

Mobile CPU (rough)

64 d

Powerful GPU cluster (rough)

8 s

L74.42e+13

Mobile CPU (rough)

15.6 y

Powerful GPU cluster (rough)

12 min

L83.94e+15

Mobile CPU (rough)

1387 y

Powerful GPU cluster (rough)

18 h

Home PC
L93.50e+17

Mobile CPU (rough)

123441 y

Powerful GPU cluster (rough)

68 d

L103.12e+19

Mobile CPU (rough)

10986287 y

Powerful GPU cluster (rough)

16.5 y

Big cluster
L112.78e+21

Mobile CPU (rough)

977779565 y

Powerful GPU cluster (rough)

1467 y

L122.47e+23

Mobile CPU (rough)

87022381323 y

Powerful GPU cluster (rough)

130534 y

Heuristics: L=8 ≈ home-PC inflection; L=10 ≈ costly even for GPU clusters.


The attack lifecycle: why leaked hashes matter

Attackers usually do not guess passwords on a live login page. They target leaked databases and crack hashes offline.

The breach: A user table is leaked. Passwords are typically stored as hashes (not plain text), so attackers extract those hashes from the dump. Here is the link to our Breach Test: Launch Breach Test

The offline advantage: Once hashes are stolen, attackers do not need the website anymore. They can test guesses on their own hardware as fast as it allows, without online lockout limits.

Salt defense: A unique salt per password forces attackers to crack each account separately. This blocks one-shot wins where a single common password would otherwise unlock many users at once.

Why cracks fail: Passwords resist cracking when they are long, less predictable, and outside the attacker’s assumed charset or rules, especially when protected by slower password hashing methods. See also: Strong passwords & NIST SP 800-63B-4 (2025) You can also try our Password Hashing page—hashes are computed entirely in your browser (MD5 through Argon2id).


Using this simulator

This simulator demonstrates real cracking logic: generate guesses, hash them, and compare.

No match found?

  • Password is longer than your max length.
  • Password uses characters outside your selected charset.
  • Hash or algorithm does not match the original.

Need to generate a hash first?

Open Password Hashing Tool

Attacker's Toolkit (2026 edition)

In modern attacks, guessing is an automated, high-speed process powered by GPU clusters and model-driven pattern analysis.

1. Hashcat: the GPU beast

Hashcat Built for raw speed with massive parallel GPU workloads. Older algorithms can be tested at extreme rates on modern hardware.

Attackers also use mask attacks—for example, Upper + 6 Lower + 2 Digits—to target known password policy patterns instead of blind brute force.

2. John the Ripper: the human emulator

John the Ripper Excels at rule-based cracking and transforms base words into thousands of realistic variants that mirror how people actually modify passwords.

Hybrid modes combine dictionary logic with brute force, which is why many "complex-looking" passwords still fall quickly.

3. AI-driven cracking (PassGAN-style)

Newer approaches use neural networks trained on leaked password corpora. Instead of fixed substitution rules, models learn human password habits and generate high-probability guesses. The original PassGAN approach is described in Hitaj et al., arXiv:1709.00440.

Reality check

Cloud cracking makes large-scale attacks cheap and automated. Short passwords can be tested so quickly that "not being a high-value target" is no longer strong protection.

These tools are standard in professional security testing and also used by attackers.