A brute force attack is a trial-and-error method where an attacker systematically tries every possible combination of characters until the correct password is found. Unlike dictionary attacks that use a list of common passwords, brute force attacks exhaust the entire key space. The time required depends on the password length, character set size, and the attacker's computational power. Modern defenses like account lockouts, rate limiting, CAPTCHAs, and slow hashing algorithms (bcrypt, Argon2) significantly slow down brute force attempts.

This tool analyzes your password to determine its length and the types of characters used (lowercase, uppercase, digits, special characters). It calculates the total number of possible combinations as charset^length and the entropy as length × log₂(charset). The estimated crack time is then computed by dividing the total combinations by the attack speed (attempts per second) for each scenario. Four realistic attack scenarios are modeled: online attacks (1,000/sec), GPU attacks on slow hashes like bcrypt (5,000/sec), GPU attacks on fast hashes like MD5 (100 billion/sec), and large-scale supercomputer attacks (1 quadrillion/sec).

Password entropy is a measure of unpredictability, expressed in bits. It is calculated as log₂(N) where N is the total number of possible combinations. For a randomly generated password, entropy = length × log₂(charset size). Higher entropy means more possible combinations an attacker must try. For example, an 8-character password using only lowercase letters has ~37.6 bits of entropy (26⁸ ≈ 209 billion combinations), while a 12-character password using all character types has ~78.8 bits of entropy (94¹² ≈ 4.7 × 10²³ combinations). Each additional bit of entropy doubles the crack time. Security experts recommend at least 60-80 bits of entropy for strong passwords.

Online attacks occur over a network (e.g., trying passwords on a website login form). They are inherently slow due to network latency and are often thwarted by rate limiting, account lockouts after failed attempts, and CAPTCHAs — typically limited to ~1,000 attempts per second at most. Offline attacks occur when an attacker has already stolen the password hash database. They can use powerful hardware (GPUs, ASICs) to test billions of combinations per second locally, with no network or rate-limiting constraints. This is why slow hashing algorithms (bcrypt, Argon2, PBKDF2) are critical — they dramatically reduce the speed of offline attacks.

Password length is exponentially more important than complexity because length is the exponent in the combination formula (charset^length), while character set size is the base. For example, doubling the charset from 26 to 52 only squares the combinations (26⁸ → 52⁸), but adding just one character multiplies combinations by the charset size (26⁸ → 26⁹ = ×26). A 12-character password using only lowercase letters (26¹² ≈ 9.5 × 10¹⁶) is actually stronger than an 8-character password using all 95 printable characters (95⁸ ≈ 6.6 × 10¹⁵). A memorable passphrase of 5-6 random words can be both easier to remember and mathematically stronger than a short, complex password.

Fast hashes (MD5, SHA1, SHA256, NTLM) are designed for speed and efficiency — a single GPU can compute hundreds of billions of hashes per second, making them poor choices for password storage. Slow hashes (bcrypt, Argon2, scrypt, PBKDF2) are intentionally designed to be computationally expensive and memory-hard. They include a configurable cost factor that makes each hash calculation take milliseconds instead of nanoseconds. For example, bcrypt with cost factor 12 might allow only ~5,000 attempts/sec on a high-end GPU — making offline attacks millions of times slower. Always ensure websites use modern slow hashing algorithms for password storage.

Best practices for strong passwords:
1. Use 16+ characters — length is your best defense
2. Generate randomly — use a password manager's generator
3. Mix all character types — but don't rely on predictable substitutions (e.g., "P@ssw0rd" is weak)
4. Use passphrases — 4-6 random unrelated words (e.g., "correct horse battery staple") offer high entropy and memorability
5. Never reuse passwords across accounts — one breach compromises all
6. Avoid personal information — names, birthdays, addresses are easily guessable
7. Use a password manager — it handles generation and storage securely

Yes, reputable password managers (Bitwarden, 1Password, Dashlane, KeePass) are widely considered safe and highly recommended by security experts. They encrypt your password vault with a strong master password (using AES-256 and PBKDF2/Argon2) and zero-knowledge architecture means even the provider cannot access your data. The benefits — unique, complex, randomly generated passwords for every account — far outweigh the minimal risk of a single point of failure. For maximum security, choose an open-source, independently audited password manager and enable 2FA on your vault.

Absolutely. Two-factor authentication adds a second layer of security that makes brute force attacks nearly useless — even if an attacker knows your password, they still need the second factor (TOTP code, hardware key, SMS code, biometric). For online attacks, 2FA is an extremely effective defense. However, 2FA does not protect against offline attacks on stolen password hashes. That's why both strong passwords and proper password hashing are essential. Use hardware security keys (YubiKey, FIDO2/WebAuthn) for the strongest 2FA protection against phishing.