Brute Force Attack Speed by Character Set
Compare brute-force attack speeds across different character sets and hardware configurations. See how digits-only, lowercase, alphanumeric, and full ASCII passwords withstand modern GPUs.
Detailed Explanation
Brute Force Attack Fundamentals
A brute-force attack systematically tries every possible password combination. Its speed depends on two variables: the hardware performing the computation and the hash algorithm protecting the stored password. Understanding these speeds is essential for setting meaningful password length requirements.
GPU Cracking Speeds (2024 Benchmarks)
A single NVIDIA RTX 4090 GPU achieves approximately these speeds:
| Hash Algorithm | Guesses/Second | Purpose |
|---|---|---|
| MD5 | ~60 billion | Legacy web apps |
| SHA-1 | ~20 billion | Legacy systems |
| SHA-256 | ~8 billion | General hashing |
| NTLM | ~100 billion | Windows passwords |
| bcrypt (cost 10) | ~600 | Modern auth |
| bcrypt (cost 12) | ~150 | Recommended auth |
| Argon2id | ~10 | State-of-art auth |
Time to Exhaust Search Space (Single RTX 4090, MD5)
| Length | Digits (10) | Lowercase (26) | Alphanumeric (62) | Full ASCII (95) |
|---|---|---|---|---|
| 6 | instant | instant | ~1 second | ~13 seconds |
| 8 | instant | ~6 seconds | ~36 minutes | ~18 hours |
| 10 | ~0.2 sec | ~2.3 hours | ~13 years | ~2,700 years |
| 12 | ~17 sec | ~80 days | ~51,000 years | ~1.7 billion years |
| 14 | ~28 min | ~148 years | ~2 × 10^9 years | ~1.5 × 10^13 years |
| 16 | ~46 hours | ~2.6M years | ~8 × 10^12 years | ~1.3 × 10^17 years |
Scaling with Hardware
Professional password cracking rigs use multiple GPUs. An 8-GPU cluster cracks 8x faster. Nation-state actors or large botnets can achieve even higher throughput. When estimating real-world resistance, consider:
- Hobbyist: 1 GPU (~60B MD5/s)
- Professional: 8 GPUs (~480B MD5/s)
- Organization: specialized hardware (~1-10T MD5/s)
Key Takeaways
- Digits-only passwords are virtually useless — even 12 digits fall in seconds
- Lowercase-only passwords need 14+ characters to resist a single-GPU attack
- Alphanumeric passwords reach safety at 12+ characters for most threat models
- Full ASCII passwords are strongest per character — 10 characters already resist casual attacks
- The hash algorithm is a force multiplier — bcrypt at cost 12 makes even moderate passwords far harder to crack
Practical Recommendations
For passwords hashed with a modern algorithm (bcrypt cost 12+):
- Minimum 10 characters with full character diversity
- Minimum 14 characters if only alphanumeric
- Minimum 20 characters if digits-only (PINs are not passwords)
For passwords hashed with fast algorithms (MD5, SHA-1):
- Minimum 16 characters with full character diversity
- Consider migrating to bcrypt or Argon2id immediately
Use Case
Brute-force speed data helps IT administrators set password length policies proportional to their threat model, guides developers in choosing hash algorithms, and gives security consultants concrete numbers for risk assessments. Seeing how quickly short passwords fall to modern GPUs motivates both stronger passwords and better hashing.