What is a Brute Force Attack? (Simplified)

A brute force attack is exactly what it sounds like: an attacker tries every possible password combination until one works. No cleverness, no phishing, no social engineering — just raw computation and time.

The scary part? Modern GPUs can try billions of combinations per second. The reassuring part? The math is on your side — if you use it correctly. And the single most powerful thing you can do is make your password longer. Not more complex. Longer.

Here's why.

How Brute Force Actually Works

An attacker running a brute force attack picks two things: a charset (which characters to include in guesses) and a maximum length (how many characters to try). Then they systematically generate and test every combination.

Tools like Hashcat or John the Ripper automate this against stolen password hashes. On a single RTX 4090, you're looking at 164 billion MD5 guesses per second. That's not a typo.

The math that governs the attacker's workload is simple:

combinations = charset_size ^ length

Charset size of 26 (lowercase a–z), length 6? That's 26⁶ = ~309 million combinations. Sounds like a lot. It isn't — it's cracked in under 2 milliseconds against MD5. This is why a 6-digit code is the bare minimum for local device security. If you need a secure numeric key, use our PIN Generator to avoid predictable patterns.

In cryptographic terms, this search space is measured in bits of entropy — each additional bit doubles the work an attacker must perform. That's the same metric used across our security guides to compare passwords, passphrases, and PINs on equal footing.

The key insight: length is in the exponent. Complexity (charset size) is only the base. Exponential growth destroys linear growth every time.

The Math: Length vs. Complexity

Let's make this concrete. Here's what each step of "complexity advice" actually buys you vs. what adding a few characters does:

Going from 8-char lowercase to 8-char full ASCII multiplies the search space by about 32,000×. That's the entire effect of "add an uppercase, a number, and a symbol."

Going from 8 characters to 12 characters — just adding length, keeping full ASCII — multiplies the search space by about 80 million×.

Length wins. It's not close.

That said, charset diversity still matters. An 8-character lowercase-only password is cracked in about 1.3 seconds against MD5. An 8-character full-ASCII password takes ~11 hours. Both are inadequate for anything that matters, but the difference is real. You need both — length is just the bigger lever.

Why "P@ssw0rd!" Still Gets Cracked Instantly

The math above assumes a pure brute force attack — trying every combination from aaaaaaaa upward. Real attackers don't start there.

They start with dictionary attacks: pre-built lists of billions of known passwords from previous breaches, combined with automated substitution rules. The RockYou2024 breach dataset alone contains over 10 billion real-world passwords. Hashcat can apply leet-speak rules (e→3, a→@, s→$, o→0) across the entire list in seconds.

P@ssw0rd! — the one you thought was clever — has been in every serious wordlist for years. Tr0ub4dor&3 (the XKCD-famous example) is in there too. Any pattern a human brain finds memorable, attackers have already catalogued.

Dictionary attacks are orders of magnitude faster than pure brute force. Against MD5, a modern GPU can apply 100+ billion modified dictionary guesses per second.

The only real defense is true randomness. Not randomness you invented in your head — randomness from a CSPRNG (cryptographically secure pseudorandom number generator). Our Password Generator — runs 100% in your browser, zero data sent to any server — uses the Web Crypto API's crypto.getRandomValues() directly. That's the same entropy source your OS uses for cryptographic keys. You can't do better than that by hand.

Online vs. Offline: Two Very Different Threat Models

Brute force attacks don't always happen the same way. There are two distinct scenarios with completely different risk profiles:

Online attacks are mostly a solved problem. Real services rate-limit login attempts, lock accounts after failures, and add CAPTCHA. At 10 guesses/second, even a weak password takes a very long time to crack through a login form.

Offline attacks are the real threat. When a service gets breached and their password database leaks, attackers take those hashes home and run Hashcat locally. No rate limits. No lockouts. Just a GPU and time.

This is the scenario all the crack time benchmarks you'll see online are modeling. And it's why your password needs to hold up against billions of guesses per second — because after a breach, it will face exactly that.

You don't get to know which sites store passwords securely. Some use bcrypt. Some are still on MD5 from a 2009 codebase. Your defense is making your password long enough that even worst-case storage buys you enough time for the breach to become public and for you to rotate.

What Length Should You Actually Use?

The answer depends on the threat level. Here's the practical breakdown:

Twelve characters is the new floor. Eight was fine in 2010. It's not fine now.

If you're wondering where your current passwords stand, our Password Strength Checker does the entropy math for you — it shows estimated crack time at GPU speeds, entropy in bits, and a strength rating. It runs entirely in your browser; nothing you type is sent anywhere.

🛡️ Brute Force Defense Checklist — Complete This Step

Don't guess whether your password holds up — know for certain.

• → Check your password's entropy against offline GPU benchmarks — real crack-time estimates, 100% client-side
• → Generate a 16+ character password using Web Crypto API randomness — the same entropy source your OS uses for cryptographic keys
• → Create a secure numeric PIN for device access — cryptographically random, not your birthday or a sequence

The Practical Takeaway

A brute force attack is a solved problem for long, random passwords. The math is merciless in your favor once you cross the right length threshold.

The three rules the data supports:

1. Use 12+ characters, minimum. 16 is better. For high-value accounts, 20+.
2. Use full charset diversity. Lowercase + uppercase + numbers + symbols. The multiplier is real, even if it's smaller than length.
3. Use true randomness, not patterns. Dictionary attacks make human-invented "complexity" worthless. A CSPRNG-generated password eliminates this attack vector entirely.

The fastest path there: use our Password Generator. Set the length to 16+, enable all character types, and you're generating passwords that a brute force attack would need millions of years to crack — even assuming a future GPU 1,000× faster than today's hardware.

The attacker's compute budget is finite. Your password's search space, properly constructed, is not.

Frequently Asked Questions

What is the formula for brute force combinations?

The number of possible combinations is charset_size ^ length. An 8-character lowercase password has 26⁸ ≈ 209 billion combinations. In cryptographic terms this is expressed as bits of entropy: log₂(combinations). Each additional bit doubles the attacker's required work — which is why length, sitting in the exponent, dominates everything else.

Why is password length more important than complexity?

Complexity (charset size) is the base; length is the exponent. Going from 8-char full-ASCII to 12-char full-ASCII multiplies the search space by ~80 million. Going from lowercase-only to full-ASCII at the same length multiplies it by ~32,000. Exponents beat multipliers every time. Use both, but prioritize length.

How fast can a GPU crack a password in 2026?

A single RTX 4090 hits ~164 billion MD5 guesses per second. Against bcrypt (cost 10) the same card manages ~184,000 guesses per second — a 1,000,000× difference. You don't control which algorithm the site uses. Your only lever is making the search space large enough that even worst-case storage (MD5) takes longer than the breach becomes public knowledge.