📊 Sources, Assumptions & Calculations

How the numbers in the Password Strength Calculator are derived

01 — Core Cracking Time Formula

The calculator models a worst-case offline brute-force attack: an attacker who has stolen a hashed password database and is trying every possible combination locally, limited only by their hardware speed.

keyspace = character_pool_size ^ password_length expected_guesses = keyspace / 2 ↑ 50th percentile — on average the password is found after half the search space has been exhausted time_seconds = expected_guesses / hash_rate_per_second

JavaScript's native BigInt is used for the exponentiation step to avoid floating-point overflow on long passwords (e.g. 30+ chars produce numbers far exceeding Number.MAX_SAFE_INTEGER).

Character Pool Sizing

The pool is determined by scanning the actual characters typed — not by what the user claims to have used. Only classes that appear count toward the pool.

Character class Characters Pool contribution Running total
Lowercase lettersa – z2626
Uppercase lettersA – Z2652
Digits0 – 91062
Special / symbolsAll printable ASCII not in the above, incl. space
!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ and space
3395
Note: 95 is the total count of printable ASCII characters (codes 32–126). Subtracting the 62 alphanumeric characters leaves 33 special characters, which matches the set above.

02 — GPU Hash Rate Benchmarks

All rates come from hashcat benchmarks (hashcat -b), the industry standard tool for measuring offline password-cracking throughput. Community-published results are widely cross-referenced across security research and CTF communities.

Primary Source

RTX 4090 (directly benchmarked)

AlgorithmRateConfidence
MD5164 GH/sHigh — widely published hashcat benchmark
SHA-25622 GH/sHigh — widely published hashcat benchmark
bcrypt (cost 10)24,000 H/sHigh — widely published hashcat benchmark

AWS p4d.24xlarge — 8× NVIDIA A100 (extrapolated)

AlgorithmPer-card rate8-card totalConfidence
MD5~81 GH/s648 GH/sMedium — A100 is ~3–4× RTX 3090; limited public bcrypt data
SHA-256~9 GH/s72 GH/sMedium — extrapolated from FP32 relative throughput
bcrypt (cost 10)~12,000 H/s96,000 H/sLower — bcrypt is memory-latency bound; fewer public A100 benchmarks exist

xAI Colossus — 100,000× NVIDIA H100 (extrapolated)

AlgorithmPer-card rateCluster totalConfidence
MD5~200 GH/s20 PH/sMedium — H100 is ~1.5–3× A100 depending on workload
SHA-256~20 GH/s2 PH/sMedium — extrapolated from NVIDIA H100 spec comparisons
bcrypt (cost 10)~60,000 H/s6 GH/sLower — bcrypt speedup over A100 is modest due to memory bottleneck
Caveat: A100 and H100 bcrypt rates are extrapolated from architecture comparisons, not from directly observed hashcat -b runs on those GPUs. These GPUs are expensive enough that few researchers publish bcrypt benchmarks for them. The actual rates could be meaningfully higher or lower.

03 — Cost Estimates

Hardware Tiers — Electricity Only

Hardware purchase cost is excluded (the attacker already owns the machine). The running cost is modeled as electricity at the U.S. EIA average residential rate of $0.12/kWh (2024 average; source: U.S. Energy Information Administration).

cost_per_hour = power_draw_watts / 1000 × $0.12
TierAssumed drawCalculation$/hr
Laptop (integrated GPU) ~50 W 0.050 kW × $0.12 $0.006
Gaming PC (RTX 4090) ~500 W 0.500 kW × $0.12 $0.060
Hacker Rig (8× RTX 4090) ~4,000 W 4.000 kW × $0.12 $0.480

Cloud Tiers — On-Demand Rental

Prices are AWS on-demand rates for US-East-1, as published at aws.amazon.com/ec2/pricing/on-demand/ (early 2025).

TierInstance$/hrNotes
Cloud Server 1× p4d.24xlarge $32.77 AWS list price, on-demand
GPU Cluster 100× p4d.24xlarge $3,277 100 × $32.77; linear scaling. Reserved pricing would be lower.

xAI Colossus — Estimated

xAI's Colossus cluster is not available for public rental. The cost is estimated from spot/on-demand H100 rental prices on the open GPU market:

Caveat: The true operating cost of Colossus would also include capital amortization (~$25,000–$40,000 per H100 at 2024 list prices), networking, cooling, and facilities — making the real cost substantially higher. The $250,000/hr figure represents a conservative floor, not a ceiling.

Total Crack Cost Formula

total_cost = cost_per_hour × (time_seconds / 3600)

This is the expected cost at 50th percentile (median attempt). The attacker could get lucky and spend half as much, or unlucky and spend up to twice as much.

04 — Key Assumptions & Limitations

What this calculator assumes

  1. Offline attack only. The attacker has already obtained your hashed password (e.g. from a data breach) and is cracking it locally. Online attacks against a live login form are rate-limited by the server and take orders of magnitude longer.
  2. Uniform random brute force. The attacker tries every combination in the character space systematically. Real attackers often use smarter strategies (see limitations below).
  3. Attacker knows the character set. For example, if your password contains only lowercase letters, the attacker only searches that space. This is a common and reasonable attacker assumption post-breach.
  4. 50th percentile (median). On average, a password is found after half the keyspace has been searched. The 100th percentile (worst case for attacker) is exactly double the time shown.
  5. bcrypt cost factor = 10. This is the default in many popular frameworks: Django, Rails, Spring Security, PHP's password_hash(). Cost factor 12 is ~4× slower; cost factor 14 is ~16× slower.
  6. Single GPU type per tier. Real clusters mix hardware generations. The rates shown assume identical GPUs across the tier.

What this calculator does NOT model

Bottom line: The times shown are accurate for random passwords against an attacker doing pure brute force. For passwords made of real words, names, or common substitutions, assume the actual crack time is far shorter than displayed.

05 — Worked Examples

Example A: "cat" — Gaming PC, bcrypt

Pool: 26 (lowercase only) Length: 3 Keyspace: 26³ = 17,576 Expected guesses: 17,576 / 2 = 8,788 Hash rate: 24,000 H/s (RTX 4090, bcrypt cost 10) Time: 8,788 / 24,000 ≈ 0.37 seconds → "< 1 second"

Example B: "Tr0ub4dor&3" — Gaming PC, bcrypt

Pool: 95 (lower + upper + digits + symbols) Length: 11 Keyspace: 95¹¹ = 5.69 × 10²¹ Expected guesses: 2.84 × 10²¹ Hash rate: 24,000 H/s Time: 2.84 × 10²¹ / 24,000 ≈ 1.18 × 10¹⁷ seconds ≈ 3.75 billion years

Example C: "Tr0ub4dor&3" — xAI Colossus, MD5

Pool: 95 Length: 11 Keyspace: 95¹¹ = 5.69 × 10²¹ Expected guesses: 2.84 × 10²¹ Hash rate: 20 × 10¹⁵ H/s (20 PH/s) Time: 2.84 × 10²¹ / 20 × 10¹⁵ ≈ 142,450 seconds ≈ 40 hours Cost: $250,000/hr × (142,450 / 3600) ≈ $9.9 million
Insight: This illustrates why algorithm choice matters enormously. The same password takes billions of years against bcrypt on a gaming PC, but only 40 hours against MD5 on Colossus — a difference of roughly 1014×. This is why modern systems use slow hashing algorithms.