Time to crack:
—
—
Slowest crack
—
—
—
Crack time by attack type and hashing algorithm
| Attack type | Algorithm | Speed (12 GPU) | Estimated time |
|---|
Advanced details
This password does not appear in any known breach from Have I
Been Pwned.
Could not verify against Have I Been Pwned (network
issue).
—
Characters
—
Charset size
—
Entropy bits
—
Combinations
—
Status
Methodology and sources
10 attack types modeled
- Brute force — exhaustive search of all combinations. Source
- Dictionary — testing ~14 billion known leaked credentials. Source
- Hybrid — dictionary + hashcat mutation rules (~1,000 variants/word). Source
- Mask — targets predictable human structures. Source
- Rainbow table — instant lookup on unsalted hashes. Source
- Credential stuffing — reuse of leaked credential pairs. Source
- Password spraying — common passwords across many accounts. Source
- Markov/probabilistic — prioritizes statistically likely sequences. Source
- PCFG — models grammatical password structure. Source
- Combinator — concatenates words from two dictionaries. Source
6 hashing algorithms compared
Hashcat speeds on 12× NVIDIA RTX 4090: MD5 ~2,000 GH/s, SHA-1 ~610 GH/s, SHA-256 ~272 GH/s, NTLM ~2,000 GH/s, bcrypt (cost 5) ~71 kH/s, Argon2id ~800 H/s.
Limitations
A state-level or cloud attacker could be 10–1,000× faster. Phishing, keyloggers, SIM swapping, and social engineering bypass password strength entirely.
-
Wheeler, D. (2016). "zxcvbn: Low-Budget Password Strength
Estimation"USENIX Security '16 — peer-reviewed.
usenix.org -
Hive Systems — Password Table 2025Hashcat
benchmarks 12× RTX 4090, bcrypt.
hivesystems.com -
Kaspersky (2024). 193M passwords study45% cracked
in < 1 min.
securelist.com -
Saputra et al. (2025). "Password Strength Study Using
Zxcvbn…"Pilar Nusa Mandiri, Vol. 21 No. 1.
ResearchGate -
Hashcat Benchmarks RTX 4090 (Chick3nman)
GitHub Gist -
Have I Been Pwned (Troy Hunt)14B+ compromised
credentials.
haveibeenpwned.com