Password Crack Time

How Long Would Your Password Survive?

Type a password below. See exactly how long it would take to crack — from a throttled login form, to a gaming PC, to a nation-state supercomputer. Based on real Hashcat benchmarks.

100% Offline · Never Leaves Your Browser
Enter Password
No network calls. No storage. No logging. Everything runs in your browser — verify by opening DevTools.
— AWAITING INPUT —
0 chars · 0.0 bits · 0 charset
Issues Detected
Time to Crack
Waiting for input
Start typing above and you'll see — in real time — how long seven different attackers would need to brute-force your password.
Build a Password That Doesn't Fold
Length Beats Complexity
A 20-character passphrase of random words crushes a 9-character mess of symbols. Every character you add roughly multiplies crack time.
Use a Passphrase
Four random, unrelated words (e.g. correct-horse-battery-staple) give 50+ bits of entropy and you'll actually remember it.
Use a Password Manager
Bitwarden, 1Password, or KeePass generate and store unique passwords per site. One strong master password protects everything else.
Turn On MFA Everywhere
Even a leaked password is useless if the attacker can't get the second factor. Authenticator apps beat SMS. Hardware keys beat both.
Never Reuse Passwords
When one site leaks — and they do — attackers immediately try those credentials on your email, banking, and work logins. Credential stuffing is the #1 breach vector.
Check for Prior Breaches
Visit haveibeenpwned.com to see if your email or password has already been leaked. If yes — change it everywhere.

▸ Methodology & Honesty Note

Hash rates are based on public Hashcat benchmarks for MD5 — a common "worst case" scenario where a site stores passwords using fast, unsalted hashing. A single RTX 4090 hits roughly 164 GH/s on MD5; an 8-GPU rig scales that to ~1.3 TH/s. These are real numbers, not guesses.

If the target uses proper hashing (bcrypt, Argon2, scrypt with high cost factors), crack times are orders of magnitude longer — but you don't get to choose how the services you use hash your password. Assume the worst.

Online attack tiers (10/s throttled, 1,000/s unthrottled) model credential stuffing and login-form brute-forcing against services with varying rate-limit defences.

Entropy calculation uses length × log₂(charset) with penalties for common passwords, keyboard patterns, sequential characters, repetition, and year suffixes. A match in our common-password list drops the effective entropy dramatically — real attackers always try dictionary first.

Privacy: This page has no analytics or fetch calls tied to your input. Your password is processed in JavaScript inside your browser tab and discarded when you close it. You can verify this yourself by opening DevTools → Network.

Your password is one layer. What about the rest?

Weak passwords are just one of a dozen ways attackers get in. At Greyhat4Hire we run full penetration tests against dental practices, medical clinics, law firms, and SMEs across South Africa — finding the exact gaps an attacker would exploit before they do.

Book an Assessment Free Risk Self-Assessment