Brute Force Time Estimate

TL;DR

This guide shows you how to estimate how long a brute-force attack might take on a randomly generated sequence of characters. We’ll cover calculating the total possible combinations and then translating that into time based on attempts per second.

Estimating Brute Force Time

1. Determine Sequence Length: First, find out how many characters are in the random sequence you’re trying to crack. Let’s say it’s 8 characters long.
2. Identify Character Set: What characters are allowed? Common sets include:
   • Lowercase letters (a-z): 26 characters
   • Uppercase letters (A-Z): 26 characters
   • Numbers (0-9): 10 characters
   • Symbols: Varies, but let’s assume 32 for common symbols.

   If it’s a mix, add the counts together. For example, lowercase letters + numbers = 26 + 10 = 36 characters. Let’s use this 36-character set for our example.

3. Calculate Total Possible Combinations: This is where we figure out how many guesses are needed in the worst case. The formula is:

   Total Combinations = Character Set Size ^ Sequence Length

   In our example:

   36 ^ 8 = 2,821,109,907,456

   That’s over 2.8 trillion combinations!

4. Estimate Attempts Per Second: How fast can the attacker try passwords? This depends on their hardware and software.
   • A basic computer might manage 100,000 attempts per second.
   • A powerful GPU setup could reach millions (e.g., 5,000,000) or even billions of attempts per second.

   Let’s assume an attacker can try 5,000,000 passwords/second for this example.

5. Calculate Estimated Time: Divide the total combinations by the attempts per second.

   Estimated Time (seconds) = Total Combinations / Attempts Per Second

   In our example:

   2,821,109,907,456 / 5,000,000 = 564,221.98 seconds

6. Convert to More Understandable Units: Convert seconds into minutes, hours, days, etc.
   • Minutes: 564,221.98 / 60 = 9,403.69 minutes
   • Hours: 9,403.69 / 60 = 156.73 hours
   • Days: 156.73 / 24 = 6.53 days

   So, it would take approximately 6.5 days to brute-force this password with that attack speed.

Important Considerations

• Password Complexity: This calculation assumes a truly random sequence. If the password follows patterns (e.g., dictionary words, common substitutions), it will take much less time.
• Salted Hashes: Most systems don’t store passwords directly; they store salted hashes. Brute-forcing requires cracking the hash for each unique salt, significantly increasing the effort.
• Account Lockout Policies: Many systems lock accounts after a certain number of failed attempts, preventing brute-force attacks.
• Rate Limiting: Systems often limit the rate of login attempts to slow down attackers.