How Time2Crack calculates cracking time

Complete Guide to Scientific and Technical Operations

Overview

Time2Crack answers a simple question: "How long would it take to crack this password?"

The answer involves three steps:

PASS MOT (e.g. "P@ssw0rd!") ▼ STEP 1: Analysis (pattern detection, entropy) ▼ STEP 2: Estimated number of attempts (range) ▼ STEP 3: Time conversion (based on GPU speed) ▼ RESULT (e.g. "2 days on GPU NTLM")

Critical point : Time2Crack testes Not really The password. mathematically how many attempts would be needed with different attacks.

Key innovation is the strict separation between Rank (number of attempts) and Time (GPU-based conversion). This allows to modify attack algorithms or GPU speeds independently.

Calculation flow

Main calculation flow

calcCrackTime(password, options) [core/calc.js] Promotional - analyzePatterns(password) │ Promotional Ü--estimateRank(password, context) │ Ã - rankBrute() → tanklength │ ç - rankDictionary() → dictionary + HIBP │ ç - rankHybrid() → dictionary + mutations │ Ã - rankMask() → predictable structures │ Ü - RankMarkov() → probabilistic model │ ç - rankPCFG() → grammar Promotional │ Promotional - RankToAllSeconds(rank) - Converts attempts → seconds (GPU speed) - Return: { md5, sha1, sha256, ntlm, bcrypt, argon2 }

Two-layer architecture

Time2Crack's key innovation is strict separation between:

1Layer 1 (Rank)

"How many attempts?" — Have no notion of GPU time or speed. Modules: core/rank/*.js

2Layer 2 (Time)

"How long?" — Convert attempts into seconds. Module: core/time.js

Advantage : Changing the algorithm of an attack never affects the logic of time. Changing the GPU speed never affects attacks.

Step 1

Step 1: Password Analysis

What are we analyzing?

Before calculating the crack time, Time2Crack dissects the password to detect:

analyzePatterns(password) retourne {
  // CHARSET & ENTROPIE
  charset: { hasLower, hasUpper, hasDigit, hasSymbol },
  entropy: 52.3,  // bits

  // DÉTECTIONS
  patterns: {
    dictionaryWord: true,      // mot dans dictionnaire
    commonPassword: false,     // dans HIBP
    keyboardPattern: false,    // qwerty, asdfgh
    sequencePattern: false,    // abc, 123
    datePattern: false,        // 2024, 12/25
    repeatingPattern: false,   // aaaa, 1111
    maskLike: true,            // structure prévisible
    looksPassphrase: true,     // plusieurs mots
  }
}

The 8 types of detections

1 Dictionary Word

Test the password against 50k-200k common words and their variants (simple mutations).

2 Common password (HIBP)

Test against the 1,000 most escaped passwords using the k-anonymity (only 5 first SHA-1 characters sent).

Check if your password has been hacked →

3 Keyboard pattern

Detect: qwerty, asdfgh, qazwsx, etc.

4 Sequence

Detect: abc, 123, xyz, etc.

5 Date

Detect: 2024, 12/25, 25-12-2024, etc.

6 Repeat

Detect: aaaa, 1111, !!!, etc.

7 Structured

Detects foreseeable structures: Name2024!, Passw0rd!

8 Phrase

Detects several concatenated words: correcthorsebatterystaple → [correct] + [horse] + [battery] + [staple]

Step 2

Step 2: Rank estimate (number of attempts)

Basic concept

The row is: "How many passwords does an attack have to test before you find it?"

Example

Gross strength for abc : 263 = 17,576 attempts
Dictionary for password : ~1 attempt
PCFG for Password123 : ~1011 attempts

How to choose the winning attack?

Time2Crack launches the 7 parallel attacks and takes the best result:

const results = {
  brute:      { rank: 1e30 },
  dictionary: { rank: 1e6 },      // GAGNANT
  hybrid:     { rank: 1e7 },
  mask:       { rank: 1e8 },
  markov:     { rank: 1e9 },
  pcfg:       { rank: 1e11 },
  combinator: { rank: 1e12 },
};

const best = Math.min(...Object.values(results).map(r => r.rank));
// → 1e6 (Dictionary attack est la plus rapide)

Step 3

Step 3: Conversion to Time

The concept

Now that we know we have to rang attempts, we convert to seconds :

Formule : temps (secondes) = log₁₀(rang) / log₁₀(taux_hachage)

Hashing speeds (GPU)

Time2Crack uses true speeds Hashcat for 12× RTX 4090:

Algorithm	Speed	Salification
MD5	2.03 TH/s	No
SHA-1	610 GH/s	No
SHA-256	272 GH/s	No
NTLM	3.46 TH/s	No
bcrypt	2.2 MH/s	Yes
Argon2id	800 H/s	Yes

Example of conversion

Password: "password" (Rang: 1 million = 106)

For MD5 (2 trillion/sec):

Temps = 10⁶ / (2×10¹²) = 0.5 microsecondes

For SHA-256 (272 GH/s):

Temps = 10⁶ / (2.72×10¹¹) = 3.7 microsecondes

For bcrypt (2.2 MH/s):

Temps = 10⁶ / (2.2×10⁶) = 0.45 secondes

For Argon2id (800 H/s):

Temps = 10⁶ / 800 = 1 250 secondes = 21 minutes

The 7 attacks

The 7 attacks implemented

1 Gross Force

Concept : Test all possible combinations

Formule : rang = charset_size ^ length

Example : abc → 263 = 17,576 attempts

Very effective for : short and random passwords

Learn more about Brute Force →

2 Dictionary Attack

Concept : Test every word in the dictionary

Formule : rang = taille_dictionnaire

Very effective for Human words

Learn more about Dictionary Attack →

3 Hybrid Attack

Concept : Dictionary Word + simple mutations

Formule : rang = taille_dictionnaire × nombre_mutations (~1000)

Very effective for : dictionary words + small modifications

Learn more about Hybrid Attack →

4 Mask Attack

Concept : Test predictable structures

Very effective for : human structures (Name2024, Password!)

Learn more about Mask Attack →

5 Markov Model

Concept : Statistical approach based on n-gram frequencies

Very effective for Human words — reduced space by ~99%

Learn more about Markov Model →

6 PCFG

Concept : Grammatical model that learns structures

Real example

Password123 :

Gross strength: 9411 = 475 trillion attempts
PCFG: ~100 trillion attempts (4,700× faster!)

Learn more about PCFG →

7 Combiner Attack

Concept : Concatenation of 2+ dictionary words

Very effective for : passphrases (4+ words)

Learn more about Combiner Attack →

Algorithms

The 6 hash algorithms

Why six?

Different algorithms offer different levels of security. Time2Crack shows crack times for the 6 to show the impact of the algorithm choice.

MD5 (DEPRECTED)

Speed : 2 TH/s (very fast)
Salification No
Status - Do not use

SHA-1 (DEPRECTED)

Speed : 610 GH/s
Salification No
Status - Collisions found (2017)

SHA-256 (ACCEPTABLE)

Speed : 272 GH/s
Salification : Generally yes
Status - Acceptable if with SALT + iteration

NTLM (LEGACY)

Speed : 3.46 TH/s
Status - Used in Windows legacy

bcrypt (RECOMMENDED)

Speed 2.2 MH/s (intentionally slow)
Salification : YES
Status * Excellent for production

Argon2id (Better)

Speed 800 H/s (very slow = very safe)
Type : Hybrid (time + memory)
Status Best modern choice (NIST 2021)

Modern algorithms are intentionally slowIt's a feature, not a bug! MD5 is fast (bad), bcrypt is slow (excellent), Argon2id is even slower (best).

Profiles

Attacker profiles

Concept

Different attackers have different resources. Time2Crack models 4 profiles:

Profile	GPUs	NTLM	Use cases
Amateur	1	288 GH/s	Hobbyist Hackers
Experienced	12	3.46 TH/s	Serious crackers
Professional	~100	28.8 TH/s	Companies, AWS clusters
State Nation	~10k	2.88 PH/s	Governments

Concrete impact

Password: "P@ssw0rd" (10 tanks, row: 1 trillion)

Amateur 44 seconds
Experienced 3.7 seconds
Professional : 0.43 seconds
State Nation 4.4 milliseconds

Education : Even a "strong" password can be cracked in milliseconds by a nation-state!

Example

Concrete example: Tr0ub4dor&3

It's the movie password. "Correct Horse Battery Staple" Let's see what Time2Crack does:

Step 1: Analysis

• length : 11 caractères
• charset : 94 caractères
• entropy : ~64 bits
• dictionaryWord : FALSE
• commonPassword : FALSE
• maskLike : TRUE
• looksPassphrase : FALSE

Step 2: Rank estimate

Brute Force  : 94^11 ≈ 475 trillion
Dictionary   : ∞ (pas dans dictionnaire)
Mask         : ≈ 1.4 trillion
Markov       : ≈ 10 trillion
PCFG         : ≈ 50 billion (GAGNANT)
Combinator   : ∞

Step 3: Conversion to Time

Results for 50 billion attempts

MD5 : 0.025 seconds
SHA-256 0.18 seconds
bcrypt 6.3 hours
Argon2id 2 years

Conclusion

• Safe against bcrypt/Argon2id (hours → years)

FAQ

Frequently Asked Questions

Q: Does Time2Crack actually test the password?

No. Time2Crack does not send Never your password to a server.

All calculations are done Local in the browser
Only network call: HIBP check using k-anonymity
No full password transmission

Learn more about our privacy policy →

Q: Where do GPU speed numbers come from?

Official Hashcat benchmarks (v6.2.6) on RTX 4090:

Laboratory measurements
Public domain
Alignment with Hive Systems 2025

Q: Why is Argon2id so slow?

It's intentional.. Argon2id is designed to be slow, memory-hard, and difficult to parallelize. This forces attackers to use a lot of resources.

Q: Can we improve a 100% "safe" password?

NoEven the best password can be stolen or guessed. Defensive strategy :

Good password (15+ random characters)
Multifactor authentication
Password Manager
Verification of breaches (Have I Been Pwned)

Q: How do I improve my password?

Simple rules :

Length : 15+ characters (greater than complexity)
Random : Use password manager
Unique : Different password per site
MFA : Enable 2FA authentication if possible

Conclusion

Time2Crack works in 3 immutable steps :

1. ANALYSE       → Détecte patterns (dictionnaire, keyboard, etc.)
2. RANG          → Estime tentatives nécessaires (7 attaques)
3. TEMPS         → Convertit tentatives en secondes (GPU speeds)

Key Innovation : Rigorous separation between row (attack) and time (GPU), allowing:

Easy update of GPU speeds
Easy addition of new attacks
Modular and testable architecture

Result : Estimate precise, Offline, multilingual time to crack a password.

↑ Back to top