Everything stays in your browser. No password is transmitted. The calculation is entirely local. The only external request is an anonymous leak check (5 first hash SHA-1 characters, never password).

Frequently Asked Questions

Understanding technical functioning →

How do I measure the resistance of my password?

Time2Crack is a free password resistance estimator which measures the robustness of your password against real computer attacks. Here's how:

Three-step evaluation process

  1. Enter your password in the Time2Crack tool field. (Your password stays entirely on your computer — no transmission)
  2. Click "Analyse" to trigger the resistance analysis. The tool tests your password against 7 types of realistic computer attacks: raw force attack, dictionary, hybrid, mask, probabilistic Markov, grammatical PCFG, and word combinator.
  3. Read the results : The tool displays the estimated time to crack your password with each of the 6 hash algorithms (MD5, SHA-1, SHA-256, NTLM, bcrypt, Argon2id).

Interpret results

Time2Crack displays two main measures:

  • "Crack Time" : How long would it take an average attacker (12 modern GPU) to crack your password.
    • Excellent > 100 years
    • Very good 1 year – 100 years
    • Acceptable : 1 day – 1 year
    • Low < 1 day
    • Ultra-low < 1 second
  • "Fast Attack" : What kind of attack will crack your password first. For example, a simple dictionary password will be cracked by a dictionary attack, while a passphrase (4+ words) will be cracked by Combinator attack.

Why this measure is scientific

Time2Crack does not measuretheoretical entropy (traditional NIST approach), which overestimates passwords by ignoring human patterns. Instead, he considers the practical attack cost based on:

  • Academic research (Wheeler 2016, Wang & Ding 2023, Weir 2009) validating 7 real attacks
  • Empirical data rockyou2021 (32.6M real passwords) to calibrate probabilistic models
  • Official GPU benchmarks (Hashcat v6.2.6, Hive Systems 2025) for cracking speeds

This means that Time2Crack more accurately estimates real security a traditional visual force bar.

Steps to improve your score

If your password is rated low, improve it as follows:

  1. Increase the length : Increase from 8 to 12+ characters. Each additional character multiplies the difficulty by ~70 (average number of characters).
  2. Use a passphrase (recommended): 4-5 random words separated by dashes or spaces. Example: correct-horse-battery-staple This is safer AND more memorizable than a complex word.
  3. Avoid human patterns : Do not combine "Name + year" (ex: Jean1985). Time2Crack detects these patterns and cracks them in seconds via PCFG attack.
  4. Use a password manager : Let a manager generate a 16-32 character random string. Time2Crack will estimate it to > 10,000 years, guaranteeing maximum security.

Key advice : Do not look for a perfect visual force bar. crack time > 100 years for a critical password (email, bank). A 4-word passphrase easily succeeds, while a 12-character word can fail depending on the composition.

What is Time2Crack?
Time2Crack is a password cracking time calculator. It estimates how long it would take an attacker to guess your password using 7 different attacks (gross force, dictionary, hybrid, mask, Markov, PCFG, combinator). The tool calculates completely on your computer — your password never leaves your device.
Are my data secure?

Yes. Time2Crack works. 100% locally in your browser. No password is sent to our servers. We only do one optional check: check via Have I Been Pwned (HIBP) if your password is known in old leaks. This check uses the k-anonymity (we only send the first 5 characters of the SHA-1 hash, never the full password).

Concrete example: how k-anonymity works

For password password :

  • Complete Hash SHA-1 (local, never transmitted): 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
  • Prefix sent to HIBP: 5BAA6 (only 5 characters)
  • Suffix conserved locally (never transmitted): 1E4C9B93F3F0682250B6CF8331B7EE68FD8
  • HIBP returns all hashs starting with 5BAA6 (~500-1000 anonymous results)
  • Time2Crack locally compares the suffix with the answers, only on your computer

Outcome: The full password never leaves your deviceeven during the HIBP verification.

Why do time estimates vary according to the hash algorithm?
Different hash algorithms have very different crack speeds. MD5 and SHA-1 (unsalted) are quick to crack (~2 billion attempts/second), while bcrypt and Argon2id are voluntarily slow (~2 million and ~800 attempts/second). Time2Crack displays time for each algorithm, so you understand the importance of using bcrypt or Argon2id for critical passwords.
What is "crude force", "Dictionary", etc.?
These are the 7 types of real attacks that pirates use:
  • Gross force : test each possible combination (slow for long passwords)
  • Dictionary : test common words and known leaks (fast for simple words)
  • Hybrid : dictionary + minor mutations (ex: password → p@ssw0rd)
  • Mask Targeting predictable structures (e.g. Name + Year)
  • Markov : analyse the probabilities of sequences (ex: "qu" current in French)
  • PCFG : Grammatical structures (e.g. Majuscule+minuscules+figures)
  • Combiner : concate words (ex: "correct-horse-battery-staple")
What is "Favourable" vs "Standard"?
Standard : believes optimistic that the attacker uses the best known attack. Favourable : supposes that the attacker tests only the dictionary and simple mutations (the most favorable scenario for your password). In practice, these two estimates are often similar, as the best attackers test all methods in parallel.
My password is marked "Ultra-weak".
An ultra-low password (cracked in less than a second) means it is included in the most common password lists. Change it immediately. Instead, use:
  • One Passphrase (4+ random words separated by spaces, e.g. "correct-horse-battery-staple")
  • One randomly generated password (at least 12 mixed characters)
  • One password manager (Bitwarden, 1Password, KeePass, etc.)
How do I create a secure password?
The three approaches:
  1. Passphrase (recommended): 4-5 common random words (e.g. "sun-table-computer-flower"). Easy to memorize, very safe (~10.000+ years if added numbers).
  2. Random : 16+ characters (majuscules, tiny figures, symbols). Cracking takes 10,000+ years. Use a manager to store it.
  3. Passphrase + mutation "Sun2024!" (passphrase + year + symbol). Combines security and memory.
Why is a short password with symbols not enough?
Example: "P@ssw0rd!" (10 characters) can be cracked in a few days with bcrypt. Even with symbols, a short word remains vulnerable because it follows a predictable pattern The PCFG attack tests this pattern exactly. A 4-word passphrase is safer than a short word "complex".
What if I use a password manager?
Excellent choice! Managers (Bitwarden, 1Password, KeePass) generate random passwords of 16-32 characters, which you don't need to memorize. Time2Crack will estimate crack time to 10,000+ years for a randomly generated word. You only need one solid passphrase to unlock manager.
Can my estimates be incorrect?
Time2Crack uses the best available public data (rockyou2021, NIST, academic research) to calibrate its estimates. The typical error is ±1 order of magnitude (i.e. 10× faster/slower than reality). attacking with 12× RTX 4090 — a real attacker can be 100× slower or 10,000× faster depending on its resources. Argon2id are more reliable (slower, less variation).
Why Time2Crack shows 7 different attacks?
Because each password is vulnerable to a different attack. "password" falls in 1 attempt (dictionary). "P@ssw0rd!" falls in ~10,000 attempts (hybrid + PCFG). "a1b2c3d4e5f6g7h8" falls only in raw force (~10^30 attempts). Time2Crack identifies the best attack for your password and displays the time for each hash algorithm.
The Method page explains how it works?
Yes! Method (accessible via menu) details:
  • How each attack works (with examples)
  • Data sources used (rockyou, NIST, Hive Systems)
  • Limitations and assumptions
  • Academic research that validates our estimates
Can I use Time2Crack offline?
Yes! Time2Crack works completely offline once loaded. The dictionary data and ML models (Markov, PCFG) are downloaded once at startup. You can then close the Internet — Time2Crack continues to work normally.
How long can a "good" password be cracked?
With a conservative estimate:
  • 8 random characters : ~8 hours (MD5) / ~3 years (bcrypt)
  • 12 random characters : ~2,000 years (MD5) / ~1 million years (bcrypt)
  • 16 random characters : ~2 million years (bcrypt)
  • Passphrase 4 words + symbol : ~ 10,000+ years (bcrypt)
Use bcrypt or Argon2id for all critical passwords.
Is Time2Crack open source?
Yes! The source code is available on Codeberg. Time2Crack has zero dependency — it is pure JavaScript, no bundlers or sweating. You can check the code yourself to confirm that no password is transmitted.