What is hash cracking? Hash cracking is the process of attempting to recover plaintext passwords from their hashed representations. When passwords are stored in systems, they're typically converted to hash values using cryptographic functions like MD5, SHA256, or bcrypt.
Important limitation - Targeted vs. Brute Force attacks: The calculations in this tool represent naive brute force attacks that systematically try all possible character combinations. Real-world attacks are often far more effective because they use:
- Dictionary attacks: Common passwords, leaked password databases, and wordlists
- Rule-based attacks: Variations on common patterns (password123, Password!, etc.)
- Targeted information: Names, dates, company info, social media details about the target
- Hybrid attacks: Combining wordlists with brute force on specific positions
- Social engineering: Obtaining passwords through non-technical means
These targeted approaches can crack weak passwords in seconds or minutes, even if brute force would take years. Use this calculator's times as upper bounds for well-crafted, truly random passwords.
How this calculator works:
- Character Set Size: The number of possible characters (letters, numbers, symbols) or words from a wordlist that could appear in each position
- Password Length: The number of characters or words in the password
- Brute Force Rate: How many password attempts an attacker can make per second using specific hardware
- Entropy: A measure of password randomness - higher entropy means stronger passwords
Understanding the results: The "Average Time to Crack" assumes an attacker finds your password halfway through all possibilities (50% chance). The "Maximum Time" represents a worst-case scenario where your password is the last one tried.
Hash function parameters used in benchmarks: The performance data reflects specific parameter sets:
- bcrypt (cost 5, 32 rounds): 2^5 = 32 iterations - verified hashcat benchmark setting
- scrypt (N=16384, r=8, p=1): 16KB memory blocks, 16,384 iterations - verified standard configuration
- PBKDF2 (1000 iterations): Verified hashcat benchmark default for testing purposes
- PBKDF2 OWASP (600k/210k iter): Current OWASP recommendations - SHA256: 600,000 iterations, SHA512: 210,000 iterations. Speeds estimated from verified 1000-iteration benchmarks.
- WPA2-PBKDF2 (4096 iterations): Fixed by WiFi standard specification
- Argon2id (m=19456, t=2, p=1) [ESTIMATED]: OWASP recommended - 19MB memory, 2 passes, 1 thread. Estimates based on memory-hard algorithm research since hashcat doesn't support Argon2.
Hardware benchmarks: The rates in this calculator combine verified hashcat performance data with conservative estimates for unsupported algorithms. Hashcat is the industry-standard password recovery tool used for both legitimate security testing and malicious attacks. Data sources include:
- Hashcat benchmarks - Community-verified performance data
- OWASP Password Storage Guidelines - Recommended Argon2id parameters
- Argon2id estimates: Conservative projections based on memory-hard algorithm research, assuming significant GPU performance degradation due to 19MB memory requirements per hash computation
- H100/H200 estimates based on CUDA core scaling and memory bandwidth improvements
Important notes: Real-world attacks may be slower due to system limitations, cooling, or power constraints. Professional attackers often use specialized rigs with multiple GPUs, while state-level actors may have access to even more powerful resources. Argon2id estimates are conservative projections since hashcat doesn't currently support Argon2 algorithms - actual performance may vary significantly based on implementation and hardware optimization.