Brute-force & rate-limit calculator
Enter a rate-limit policy to see how long an attacker takes to brute-force common credential types — and how much your policy slows them down versus no protection at all.
Models online login attacks only. Offline attacks bypass rate limiting entirely — that's why password hashing algorithms (bcrypt, Argon2) and long passwords matter independently.
Rate-limit calculator
Rate limit settings
Effective attack rate
Compare to presets
Time to crack (expected, 50% probability)
How this tool works
Without lockout, the attacker sends requests at the allowed rate continuously. With lockout,
they make N attempts, wait out the lockout, and repeat. The effective rate is
N ÷ lockout_minutes
guesses per minute. Expected crack time is half the credential space divided by that rate —
because on average the correct credential is found halfway through exhaustive search.
Rate limiting is highly effective against online attacks but provides zero protection against offline attacks on stolen hashes. Use both: rate limiting for the login endpoint, and a slow hashing algorithm (bcrypt, Argon2) for the stored password.
About this tool
Enter a rate limit (max attempts before lockout, lockout duration) and this tool shows the effective attack rate an adversary faces, plus the expected time to crack a 4-digit PIN, 6-digit OTP, or longer password under those constraints. Compare your current policy against no protection and against recommended best-practice settings.
Frequently asked questions
How is the effective attack rate calculated?
With a lockout policy, an attacker can make N attempts, wait out the lockout period, then try N more. The effective rate is N ÷ lockout_duration attempts per minute. Without any lockout, the raw rate (attempts per minute) applies directly.
Why does cracking a 4-digit PIN take such a long time with lockout?
Without lockout, 10,000 PINs at 600 attempts/minute takes about 17 minutes. With lockout at 5 attempts per 15 minutes, the effective rate drops to 0.33 attempts/minute — cracking the same PIN space takes ~510 hours (21 days). Rate limiting is extremely effective against online attacks.
Does this apply to offline attacks too?
No. Once an attacker has the hashed password file offline, rate limiting provides zero protection. Offline crack speeds are determined by the hashing algorithm and hardware. This tool models online login attacks only — the scenario where rate limiting matters.
What is a good rate-limit policy?
A common recommendation is to lock an account after 5–10 failed attempts, with a progressive or fixed lockout of 15–30 minutes. CAPTCHA after 3 failures can slow automated attacks without full lockout. The best defence combines rate limiting with multi-factor authentication.