Brute Force Attack

Brute Force Attack is the most widely known password cracking method. This attack simply tries to use every possible character combination as a password. To recover a one-character password it is enough to try 26 combinations (‘a’ to ‘z’). It is guaranteed that you will find the password.. but when? How long will it take? The two-character password will require 26*26=676 combinations. The number of possible combinations (and therefore required time) grows rapidly as the length of the password increases and this method quickly becomes useless. Do you ready to wait for two months while your 9-character password is cracked? What about one hundred years for an 11-character password? Besides the maximal length of the character set you should also specify the character set i.e. the list of characters that will be included in the combinations. The longer the character set is, the longer the required period of time is. Here is the problem: usually you have no idea of what characters are present in the password. On the one hand, you should specify all possible characters. On the other hand, this can slow things down very much. Unfortunately, there are no common ways to determine what character set to use. It is more a question of luck and intuition. The only thing I can recommend is to begin with trying short passwords using the full character set. Then you can increase the length of password simultaneously decreasing the character set to keep the required time good acceptable.

If the password is case sensitive (this is the most common situation), there is another problem with the case.

There are three options:

1) you can assume that the password was typed in lower case (this is most likely). In this case, the required time will stay the same but if the password contains upper case letters it will not be recovered.

2) you can try all combinations.

The password is guaranteed to be found, but the process slows down significantly.  A 7-character lower case password requires about 4 hours to be recovered but if you would like to try all combinations of upper case and lower case letters, it will require 23 days. 3) The third method is trade-off. Only the most probable combinations are taken into consideration, for example “password”, “PASSWORD” and “Password”. The complicated combinations like “pAssWOrD” are not. In this particular case the process slows down to one third of original speed but there is still a possibility to fail.

You can reduce the amount of time required using faster computers (only the CPU speed is important. The amount of RAM, the performance of the hard drive and other hardware don’t affect the brute force speed), using several computers, choosing the fastest password crackers or tuning the brute force parameters wisely and accurately.

You can use our Password Calculator software to estimate the time required for Brute Force Attack.

The table below shows the time required for Brute Force Attack depending on the password length and used character set. It is assumed that the attack is carried out on a single computer and the brute force speed is 500 000 passwords per second.


Length of the password Character set
lowercase letters lowercase letters and digits Both lowercase and uppercase letters all printable ASCII characters
< = 4 instant 2 min
5 instant 2 min 12 min 4 hours
6 10 min 72 min 10 hours 18 days
7 4 hours 43 hours 23 days 4 years
8 4 days 65 days 3 years 463 years
9 4 months 6 years 178 years 44530 years
10 You should have bought a password manager! 🙂

Bear in mind that the time shown above is the worst possible time. Brute Force Attack tries all password combinations and you don’t know which one of them is correct. If you’re lucky enough, the first combination will succeed. If not, the correct combination will be tried last.

If you are not afraid of formulas: the required time is equal to (C^L) / S / N, where C is the length of the character set, L is the length of the password, S is the number of password checked per second, and N is the number of computers used in password recovery.

Important Note: our software is highly optimized and most of it works faster that than our competitors’ software. Nevertheless, the amount of time required grows rapidly as the length of the password increases and that renders Brute Force Attack useless for recovering long passwords. This is the fundamental problem. Our competitors’ software is not able to recover long passwords either. Fortunately, in many cases more efficient recovery methods can be applied such as Guaranteed Recovery.


Time Required: Very little in case of short passwords and absolutely unacceptable amount in case of long passwords
What is Recovered: Original password
Guaranteed result? Yes (if the password satisfy the requirements and the required time is acceptable)
Requisites/Limitations The area of application is limited by the amount of time required.
Passwords that can be recovered: Any password
Pros Versatility; guaranteed result
Cons Much time required along with certain experience and understanding of the process
International/Localization issues If the password contains non-Latin characters, custom characters sets (with these characters included) are required to recover it.
Supported by the following LastBit software: Word Password, Excel Password, Zip Password, VBA Password,
OneNote Password
, PowerPoint Password, WinPassword, PwlTool
Further reading: Password Calculator

Learn more about password recovery methods her


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s