How fast could a GPU cluster break your password?
PasswordLab simulates real-world password cracking using actual entropy math and industry hash-rate benchmarks — dictionary attacks, mask attacks, brute force and rainbow tables — against MD5, SHA-256, bcrypt, Argon2 and more. Built for learners, red teamers, and SOC analysts who need to understand attacker math, not just theory.
Most people think "P@ssw0rd123!" is strong because it has a symbol and a number. It isn't. This lab shows the real math attackers use — entropy, keyspace, and hash-rate — so the danger becomes visible instead of theoretical. Everything here runs 100% client-side. Nothing you type is ever sent anywhere.
Beginner — single GPU, teaches the basics.
Advanced — 8-GPU rig, dictionary + mask attacks.
Enterprise — 64-GPU cloud cluster, full keyspace brute force.
SOC Mode — flips perspective: watch the SIEM detect and alert on the attack in real time.
Entropy is estimated using charset-based Shannon approximation: length × log2(charset size). Dictionary-based or pattern-based passwords are flagged separately since real attackers guess these first, regardless of raw entropy.
| Algorithm | Single GPU | 8-GPU Rig | 64-GPU Cloud |
|---|
Note: this table assumes the password isn't already leaked. Check the Leak Check tab — leaked passwords are cracked in under a second regardless of entropy, since attackers try known-breached passwords before brute force.
1 GPU
8-GPU Rig
64-GPU Cloud
Blue Team
All hashing and math is simulated client-side using published hardware benchmark figures — no real hashes are computed or transmitted.
Checked against a bundled offline list of the most common breached and predictable passwords (patterns, keyboard walks, top leaked passwords worldwide). For a live check against the full HaveIBeenPwned Pwned Passwords database (~900M+ entries via k-anonymity range API), wire up the optional HIBP integration in config.js — disabled by default so this page stays 100% offline and privacy-safe.