How Hackers Crack Passwords
An interactive simulation showing dictionary attacks and brute-force in action — using real GPU benchmark speeds. Educational only. Nothing is actually cracked.
Dictionary Attack
Tries known words, common passwords, and leaked credential lists — billions of entries. Most accounts get cracked this way.
Brute-Force Attack
Tries every possible combination of characters. Always succeeds eventually — the question is how long it takes.
Modern GPU Speed
A consumer RTX 4090 tests ~200 billion MD5 hashes/second. An 8-character password takes seconds.
Choose an Attack to Simulate
Target Password
Pick a preset (these are genuinely in the wordlist) or type your own. Your password is only checked against the local wordlist in this demo — for a real breach check against 847 million leaked passwords, use the Password Analyzer.
# Select an attack type and a target password, then click Start Attack.
# This is a visual simulation. No real cracking occurs.
_
Live Stats
Password Cracked!
Found:
after attempts.
Not Found in This Simulation
was not in this demo's wordlist or brute-force range.
- ✓This demo uses a fixed wordlist of ~100 common passwords and mutations. If your password isn't in that list, it won't be found here.
- ⚠Real attackers use lists of 10+ billion leaked passwords from actual data breaches.
- ⚠Real brute-force runs on GPUs doing 200 billion guesses/second — not a browser tab.
- ✕Surviving this demo does not mean your password is strong — use the full analyzer below for an honest score.
Real-World Cracking Speeds
How fast a consumer RTX 4090 GPU cracks common hash algorithms.
| Hash Type | Speed (RTX 4090) | Used for | 8-char crack time |
|---|---|---|---|
| MD5 | 164 billion/sec | Old websites, legacy DBs | < 1 second |
| SHA-1 | 53 billion/sec | Old apps, certificates | < 1 second |
| SHA-256 | 21 billion/sec | Many web apps | ~1 second |
| NTLM | 290 billion/sec | Windows Active Directory | < 1 second |
| bcrypt | 184 thousand/sec | Modern web apps (correct) | ~10 years |
| Argon2id | ~6 thousand/sec | Best practice today | Centuries |
Source: Hashcat benchmarks on RTX 4090, 2024. Speeds assume offline attack with access to the hash file.
How to Defend Against This
01 Use long, random passwords
16+ random characters makes brute-force impractical even with GPU clusters. Use a password manager to generate and store them.
02 Never reuse passwords
Dictionary attacks use leaked credential databases. If you reuse passwords, one breached site hands attackers access to everything.
03 Enable 2FA everywhere
Even if your password is cracked, 2FA stops the attacker. Use an authenticator app (not SMS) for the highest protection.
04 Developers: use bcrypt or Argon2
Never store plain-text or MD5/SHA passwords. Use slow, salted hashing algorithms that make GPU attacks economically infeasible.