How long does it take to crack a password?

It depends on password length, character set, and hashing algorithm. An 8-character lowercase password is cracked instantly with MD5, but takes centuries with Argon2id. Time2Crack calculates exact crack times against 14 attack types and 6 hashing algorithms using real Hashcat benchmarks on 12× RTX 4090 GPUs.

Is my password safe to test here?

Yes. Time2Crack runs 100% locally in your browser — nothing is ever sent to any server. You can verify this yourself: switch to airplane mode and the analysis still works. The only exception is Have I Been Pwned: only 5 anonymised characters of your password hash are sent, making it impossible to reconstruct your password.

How secure is my password?

A secure password in 2026 should be at least 12-16 characters, mix uppercase, lowercase, numbers and symbols, avoid dictionary words and keyboard patterns (qwerty, 123456), and not appear in data breaches. Time2Crack tests all these vulnerabilities simultaneously and shows you exactly how each attack type would perform against your password.

What is the difference between MD5, bcrypt and Argon2id for password security?

Hashing speed differs by a factor of 2.5 billion. With 12 RTX 4090 GPUs: MD5 = 2,000 billion hashes/second, bcrypt = 2.2 million hashes/second, Argon2id = 800 hashes/second. The same 8-character password cracked in 1 second with MD5 would take 80 years with Argon2id. Always use bcrypt or Argon2id for password storage.

What is a brute force attack on passwords?

A brute force attack systematically tests every possible character combination (aaa, aab, aac...). It is guaranteed to crack any password eventually, but becomes impractical for long passwords: a 12-character random password with mixed characters would take millions of years to crack by brute force with current hardware.

What is a dictionary attack and how can I protect against it?

A dictionary attack tests millions of known passwords and common words. Time2Crack checks against 14+ billion compromised credentials via Have I Been Pwned and language-specific wordlists. Protection: never use real words as passwords. Use a random password generator or a passphrase of 4+ truly random words.

What makes a password impossible to crack?

A password becomes practically impossible to crack when it combines: (1) length of 16+ characters, (2) true randomness (no words, no patterns), (3) full character set (upper, lower, digits, symbols), (4) a modern slow hash (bcrypt, Argon2id) on the server side. A 20-character random password would take longer than the age of the universe to brute force.

Does Time2Crack work offline?

Yes. Time2Crack works in airplane mode. All password analysis runs entirely in your browser with no internet connection required. The only feature requiring network access is the Have I Been Pwned breach check, which is optional.

Time2Crack — How Long to Crack Your Password? Free Strength Checker

What if a hacker went after your password? Type it to see how long it would hold up.

Enter a password to test

Switch to airplane mode. Type anyway.

It works. Nothing leaves.

The analysis runs entirely in your browser.

How to verify

Open F12 → Network tab (desktop)
Type any password
No request to time2crack.eu appears

One exception: HaveIBeenPwned receives 5 anonymised characters of your password hash — never the password itself.

Publicly auditable on Codeberg →

Generate a password

Type

Length 20

Characters

A-Z a-z 0-9 !@#

Live preview

Choose a type and adjust options

— —

12× RTX 4090 GPUs

~100 GPUs

—

Heatmap

Analyse

Entropy

Length + Variety + Unpredictability

—

Structure

L'arrangement des caractères est-il reconnaissable ?

—

Votre mot de passe a-t-il déjà été piraté ?

Leaked

Have I Been Pwned

—

RockYou

Click to check · 17 MB download

—

Crack time by attack type and hashing algorithm

Mobile/tablet: choose attack context, then scroll the attack list.

Descriptions des types d'attaque

Brute Force

Teste tous les caractères possibles séquentiellement (aaa, aab, aac...). Extrêmement lent pour les longs mots de passe mais ne dépend d'aucune connaissance préalable. Vitesse : O(charset^length).

Dictionary Attack

Teste des mots courants et des variantes contre une base de ~14 milliards de mots de passe leakés (HIBP). Très efficace si le mot de passe contient des mots du dictionnaire. Vitesse : O(wordlist_size).

Hybrid Attack

Combine dictionnaire + mutations basées sur des règles (capitalization, number substitution, special characters). Ex: "password" → "P@ssw0rd!", "PASSWORD123", etc. Très efficace pour les mots avec modifications prévisibles.

Rule-based Advanced

Applies large mutation rule sets (best64/jumbo-style) to dictionary candidates. Captures realistic human edits better than simple hybrid rules.

PRINCE Chaining

Chains frequent fragments into many probable combinations (PRINCE). Very effective for passphrase-like or multi-token passwords.

Mask Attack

Cible les structures prévisibles (Uppercase + lowercase + digits + symbols dans des positions connues). Ex: "Name123!" ou "CapsWord+digits". Exploite les patterns humains courants.

Rainbow Table

Lookup instantané sur des tables pré-calculées de hashes (MD5, SHA-1, NTLM). Très rapide mais nécessite : (1) hashes non-salés, (2) tables déjà construites (~150 GB). Ineffectif contre bcrypt/Argon2id (salés et lents).

Password Spraying

Teste les mots de passe les plus courants (top 1000) contre BEAUCOUP de comptes/emails. Ex: tester "123456", "password", "qwerty" sur 1 million d'emails. Très efficace pour les mots faibles à grande échelle.

Targeted OSINT

Builds guesses from personal context (names, dates, org terms, handles). Highly effective when attacker knows the target.

Markov Attack

Utilise des chaînes de Markov pour prédire les séquences de caractères probables selon les patterns observés dans les mots de passe leakés. Privilégie les combinaisons statistiquement courantes. Efficace contre les structures "humaines".

Neural Guessing

Prioritizes guesses using learned distributions from leaked passwords (PassGAN/transformer style), often outperforming manual rule order.

PCFG (Probabilistic Context-Free Grammar)

Exploite les structures grammaticales des mots de passe (Word+digits+symbol, Uppercase+lowercase, etc.). Teste d'abord les structures les plus probables. Peut craquer "excellent" (72 bits) en ~1 sec même si brute force prend 2^72 ans. Très puissant contre structures prévisibles.

Combinator Attack

Concatène 2 mots du dictionnaire (passphrases). Ex: "correcthorsebatterystaple" = "correct" + "horse" + "battery" + "staple". Efficace contre les paraphrases qui semblent fortes mais combinent peu de mots.

Morphological Variants

Explores linguistic variants: accents, inflections, transliterations, and near-language substitutions around dictionary roots.

Methodology and sources

Wheeler, D. (2016). "zxcvbn: Low-Budget Password Strength Estimation"USENIX Security '16 — peer-reviewed.
usenix.org
Hive Systems — Password Table 2025Hashcat benchmarks 12× RTX 4090, bcrypt.
hivesystems.com
Kaspersky (2024). 193M passwords study45% cracked in < 1 min.
securelist.com
Saputra et al. (2025). "Password Strength Study Using Zxcvbn…"Pilar Nusa Mandiri, Vol. 21 No. 1.
ResearchGate
Hashcat Benchmarks RTX 4090 (Chick3nman)
GitHub Gist
Hashcat Wiki — Rule-based AttackComprehensive rule engine reference (best64-compatible functions and optimization constraints).
hashcat.net
Steube, J. — PRINCE ProcessorOfficial implementation and algorithm notes for PRINCE chained candidate generation.
GitHub
Hitaj et al. (2019). "PassGAN: A Deep Learning Approach for Password Guessing"Neural password guessing outperforming manual rule systems on leaked datasets.
arXiv.org
CUPP (Common User Passwords Profiler)Widely used OSINT-driven targeted password candidate generator.
GitHub
PACK (Password Analysis and Cracking Kit)Statistical tooling for rule generation and morphological/transformational password candidate analysis.
GitHub
Have I Been Pwned (Troy Hunt)14B+ compromised credentials.
haveibeenpwned.com
Gosney, J. (2016). "8× GTX 1080 Hashcat Benchmarks"Sagitta Brutalis system — 334 GH/s NTLM, first to break 330 GH/s.
GitHub Gist
Pasquini et al. (2021). "Reducing Bias in Modeling Real-world Password Strength"USENIX Security '21 — Deep learning analysis of advanced attacker capabilities.
arXiv.org
Amazon Web Services (2024). "EC2 P4d Instances"Cloud GPU clusters — Thousands of A100 GPUs for professional-scale attacks.
aws.amazon.com
Sprengers, M. (2011). "GPU-Based Password Cracking"Master's thesis, Radboud University — Academic baseline for GPU performance.
Radboud University
Hatzivasilis & Papaefstathiou (2015). "Password Hashing Competition"Multi-GPU cracking efficiency analysis.
IACR ePrint
Weir et al. (2009). "Password Cracking Using Probabilistic Context-Free Grammars"IEEE S&P — PCFG model, grammar structure derivation, Table II: 28.4% crack rate at 10^9 guesses.
IEEE Xplore
Ma et al. (2014). "A Study of Probabilistic Password Models"IEEE S&P — Measured hybrid attack keyspace: top-1000 passwords cracked within ~450 guesses (best64 rules).
IEEE Xplore
Dürmuth et al. (2015). "OMEN: Ordered Markov ENumerator"ESORICS — Measured Markov order-5 reduction: 94^8 keyspace → ~6.8×10^9 candidates on RockYou 14M (factor 0.006).
Springer
Bonneau et al. (2012). "The Science of Guessing"IEEE S&P — OSINT-driven attacks generate 10^3–10^5 usable candidates; credential stuffing hit rate 2–5%.
IEEE Xplore
Veras et al. (2012). "Visualizing Keyboard Pattern Passwords"VIZSEC — Keyboard walks in RockYou: forward 1.28%, reverse 0.18%, diagonal 0.31% of corpus.
ACM DL
Gosney, J. (2012). "Exploiting Password Reuse on the Internet"Passwordscon — best64 rule set: 64 rules × 3.5M wordlist = 224M guesses, covers majority of rule-based cracking.
Passwordscon 2012

Time2Crack

Password analysis

Password Strength Explained

Crack time results

—

—