01 — Core Cracking Time Formula
The calculator models a worst-case offline brute-force attack: an attacker who has stolen a hashed password database and is trying every possible combination locally, limited only by their hardware speed.
JavaScript's native BigInt is used for the exponentiation step to avoid
floating-point overflow on long passwords (e.g. 30+ chars produce numbers far exceeding
Number.MAX_SAFE_INTEGER).
Character Pool Sizing
The pool is determined by scanning the actual characters typed — not by what the user claims to have used. Only classes that appear count toward the pool.
| Character class | Characters | Pool contribution | Running total |
|---|---|---|---|
| Lowercase letters | a – z | 26 | 26 |
| Uppercase letters | A – Z | 26 | 52 |
| Digits | 0 – 9 | 10 | 62 |
| Special / symbols | All printable ASCII not in the above, incl. space !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ and space | 33 | 95 |
02 — GPU Hash Rate Benchmarks
All rates come from hashcat benchmarks (hashcat -b), the industry
standard tool for measuring offline password-cracking throughput. Community-published results
are widely cross-referenced across security research and CTF communities.
Primary Source
- hashcat benchmark wiki and community gists — e.g. Chick3nman's RTX 4090 benchmark (GitHub Gist)
- NVIDIA published throughput comparisons for A100 vs H100: nvidia.com/h100
RTX 4090 (directly benchmarked)
| Algorithm | Rate | Confidence |
|---|---|---|
| MD5 | 164 GH/s | High — widely published hashcat benchmark |
| SHA-256 | 22 GH/s | High — widely published hashcat benchmark |
| bcrypt (cost 10) | 24,000 H/s | High — widely published hashcat benchmark |
AWS p4d.24xlarge — 8× NVIDIA A100 (extrapolated)
| Algorithm | Per-card rate | 8-card total | Confidence |
|---|---|---|---|
| MD5 | ~81 GH/s | 648 GH/s | Medium — A100 is ~3–4× RTX 3090; limited public bcrypt data |
| SHA-256 | ~9 GH/s | 72 GH/s | Medium — extrapolated from FP32 relative throughput |
| bcrypt (cost 10) | ~12,000 H/s | 96,000 H/s | Lower — bcrypt is memory-latency bound; fewer public A100 benchmarks exist |
xAI Colossus — 100,000× NVIDIA H100 (extrapolated)
| Algorithm | Per-card rate | Cluster total | Confidence |
|---|---|---|---|
| MD5 | ~200 GH/s | 20 PH/s | Medium — H100 is ~1.5–3× A100 depending on workload |
| SHA-256 | ~20 GH/s | 2 PH/s | Medium — extrapolated from NVIDIA H100 spec comparisons |
| bcrypt (cost 10) | ~60,000 H/s | 6 GH/s | Lower — bcrypt speedup over A100 is modest due to memory bottleneck |
hashcat -b runs on those GPUs. These GPUs are expensive
enough that few researchers publish bcrypt benchmarks for them. The actual rates could be
meaningfully higher or lower.
03 — Cost Estimates
Hardware Tiers — Electricity Only
Hardware purchase cost is excluded (the attacker already owns the machine). The running cost is modeled as electricity at the U.S. EIA average residential rate of $0.12/kWh (2024 average; source: U.S. Energy Information Administration).
| Tier | Assumed draw | Calculation | $/hr |
|---|---|---|---|
| Laptop (integrated GPU) | ~50 W | 0.050 kW × $0.12 | $0.006 |
| Gaming PC (RTX 4090) | ~500 W | 0.500 kW × $0.12 | $0.060 |
| Hacker Rig (8× RTX 4090) | ~4,000 W | 4.000 kW × $0.12 | $0.480 |
Cloud Tiers — On-Demand Rental
Prices are AWS on-demand rates for US-East-1, as published at aws.amazon.com/ec2/pricing/on-demand/ (early 2025).
| Tier | Instance | $/hr | Notes |
|---|---|---|---|
| Cloud Server | 1× p4d.24xlarge | $32.77 | AWS list price, on-demand |
| GPU Cluster | 100× p4d.24xlarge | $3,277 | 100 × $32.77; linear scaling. Reserved pricing would be lower. |
xAI Colossus — Estimated
xAI's Colossus cluster is not available for public rental. The cost is estimated from spot/on-demand H100 rental prices on the open GPU market:
- Market providers (Lambda Labs, CoreWeave, Vast.ai): ~$2.00–$3.50 per H100 per hour as of early 2025
- Estimate used: $2.50/H100/hr
- Calculation: 100,000 × $2.50 = $250,000/hr
Total Crack Cost Formula
This is the expected cost at 50th percentile (median attempt). The attacker could get lucky and spend half as much, or unlucky and spend up to twice as much.
04 — Key Assumptions & Limitations
What this calculator assumes
- Offline attack only. The attacker has already obtained your hashed password (e.g. from a data breach) and is cracking it locally. Online attacks against a live login form are rate-limited by the server and take orders of magnitude longer.
- Uniform random brute force. The attacker tries every combination in the character space systematically. Real attackers often use smarter strategies (see limitations below).
- Attacker knows the character set. For example, if your password contains only lowercase letters, the attacker only searches that space. This is a common and reasonable attacker assumption post-breach.
- 50th percentile (median). On average, a password is found after half the keyspace has been searched. The 100th percentile (worst case for attacker) is exactly double the time shown.
- bcrypt cost factor = 10. This is the default in many popular
frameworks: Django, Rails, Spring Security, PHP's
password_hash(). Cost factor 12 is ~4× slower; cost factor 14 is ~16× slower. - Single GPU type per tier. Real clusters mix hardware generations. The rates shown assume identical GPUs across the tier.
What this calculator does NOT model
- Dictionary attacks. Common words, phrases, and patterns (e.g.
P@ssw0rd) are cracked almost instantly regardless of what the complexity score shows, because attackers maintain wordlists of billions of known passwords. - Rule-based attacks. Hashcat rules can mutate wordlist entries (capitalize first letter, append a year, replace 'a' with '@') — dramatically extending effective dictionary coverage.
- Rainbow tables. Precomputed hash lookups for unsalted algorithms. bcrypt uses per-password salts, making rainbow tables ineffective. MD5/SHA-256 without salting are vulnerable.
- Password re-use. If you use the same password on multiple sites and one is breached in plaintext, length and complexity are irrelevant.
- Side-channel and social engineering attacks. No amount of password complexity protects against phishing or keyloggers.