About Time2Crack
The most accurate and transparent crack time estimator
Our mission
Time2Crack exists to answer a simple but crucial question: How long would it really take to crack my password?
The existing tools (zxcvbn, Hive Systems) provide general estimates. Time2Crack aims to scientific accuracy : model the 7 most realistic attacks, with measured GPU flows, calibrated on the actual leak data (rockyou, HIBP).
Our ambition: becoming the global reference calculation of crack time for passwords.
Scientific methodology
7 realistic attack models
Time2Crack evaluates your password against the 7 most effective attacks documented in academic literature:
- Gross Force — Complete listing (O (charset))
- Dictionary — Common words + HIBP leaks (~14 billion)
- Hybrid — Dictionary + mutation rules (hashcat)
- Mask — Predictive patterns (e.g. Name+digit)
- Markov — Probabilistic model (n-grams)
- PCFG — Probabilistic grammar (grammatical structures)
- Combiner — Concatenation of words (passphrases)
Calibrated GPU flows
The cracking speeds are based on the Official Hashcat benchmarks v6.2.6 with 12× RTX 4090 (industry reference 2025, cited by Hive Systems, Forbes, CNBC):
- MD5: 2.027 GH/s
- SHA-1: 610 GH/s
- SHA-256: 272 GH/s
- NTLM : 3,462 GH/s
- bcrypt (cost 5): 2.2 MH/s
- Argon2id: 800 H/s
Attacker profiles
Time2Crack Models 4 Threat Levels:
| Profile | GPU | Multiply | Example |
|---|---|---|---|
| Amateur | 1 GPU | 1× | Hobbyist with personal GPU |
| Standard | 12 GPU | 12× | Dedicated attacker (benchmark industry) |
| Pro | ~100 GPU | 100× | Commercial cloud cluster |
| State | ~10,000 GPU | 10,000× | Government infrastructure |
Validation and accuracy
Time2Crack is validated against three independent academic benchmarks:
- Wheeler 2016 (zxcvbn) — r2 = 0.921 (very strong correlation)
- Realistic passwords — ρ = 0.826 (Spearman, actual data)
- Rockyou corpus — Calibration of 40 million real passwords
All attack patterns are drawn to their academic sources : Bonneau 2012, Weir 2009, Wheeler 2016, Hashcat official benchmarks.
Absolute confidentiality
No password is ever transmitted. All analysis is done locally, in your browser.
For the detection of compromised passwords (HIBP), Time2Crack uses k-anonymity Only the first 5 characters SHA-1 are sent to the HiBP server, never the full password.
Consult our Privacy page for technical details.
Multilingual medium
Time2Crack supports 9 languages with real language dictionaries:
- English
- English
- Spanish
- Portuguese
- German
- Italian
- Polish
- Netherlands
Each language has its own corpus of 50k–200k filtered words, hence the importance of selecting the right language for accurate analysis.
How Time2Crack Differentifies
| Criteria | Time2Crack | zxcvbn | Hive Systems |
|---|---|---|---|
| Modeled attacks | 7 (Brute, Dict, Hybrid, Mask, Markov, PCFG, Combinator) | 3 (Brute, Dict, Spatial) | 5 (Brute, Dict, Hybrid, Mask, Rainbow) |
| GPU calibration | Official Hashcat (2026) | Generic estimates | 12× RTX 4090 (but static) |
| Attacking profiles | 4 levels (Amateur → State) | Not applicable | Not configurable |
| Local analysis | ✓ 100% | ✓ Yes | No (static tables) |
| Academic sources | ✓ Documented (CLAUDE.md) | Implicit | Unpublished |
| Multilingual | 9 languages | EN only | EN only |
Academic sources
Time2Crack relies on peer-reviewed academic sources. source page.
- Bonneau (2012) — The Science of Guessing (USENIX Security)
- Weir et al. (2009) — Testing Metrics for Password Creation (ASIACCS)
- Wheeler (2016) — zxcvbn: Low-Budget Password Strength Estimation (USENIX Security)
- Hashcat (2026) — Official GPU benchmarks
- NIST SP 800-63B — Digital Identity Guidelines
Roadmap & Transparency
Time2Crack is a project transparent and evolving. We document every change in our GitHub repository.
Next Planned Improvements:
- Advanced detection of passphrases (without separators)
- Integration of machine learning models (neural guessing)
- Offline support (PWA mode)
- Public API for third party integration
- Third-party security audit
Contact & Returns
Any questions, suggestions, bugs to report?
- E-mail: bvh@etik.com
- GitHub issues: codeberg.org/baudouin/crack-date/issues
- Discussions: codeberg.org/baudouin/crack-date/discussions