| Attack Type | Speed | Estimated Time |
|---|---|---|
| Online attack (web login) | 100/sec | — |
| Offline slow hash (bcrypt) | 10K/sec | — |
| Offline fast hash (MD5) | 10B/sec | — |
| GPU cluster (SHA1) | 100B/sec | — |
- Enter a password above to see personalized recommendations
Entropy measures unpredictability. It's calculated as log₂(pool_size^length) — the number of bits needed to represent all possible passwords of this length. Higher entropy = harder to crack. Below 28 bits: trivial. 28–35: weak. 36–59: moderate. 60–127: strong. 128+: very strong.
A hash function takes any input and produces a fixed-length output called a digest. The same input always produces the same hash, but you cannot reverse it to get the original — making it ideal for storing passwords without ever saving the plaintext.
Attackers pre-hash millions of common passwords and compare them to stolen hashes. If your password is password123, its MD5 hash is public knowledge. This is why common passwords are immediately cracked regardless of complexity rules.
A salt is a random string added to a password before hashing — making every hash unique even for identical passwords. bcrypt and Argon2 are modern algorithms that include salting and are deliberately slow to resist GPU attacks.
MD5 is broken — collisions (two inputs producing the same hash) are known. SHA-1 is deprecated for the same reason. SHA-256 is currently safe for non-password uses. For passwords, always use bcrypt, scrypt, or Argon2.