Brute Force Demo

See why short numeric codes don't keep anyone out.

Educational use only. This demonstrates why short numeric codes are unsafe. Don't use it — or the ideas behind it — to attack accounts, devices, or systems you don't own.
1

The target

Pick a secret PIN. We'll try to guess it.

Length
104 =10,000combos

Type a PIN above, then click Set as target.

2

The attack

An attacker tries every combination, in order. Watch how fast.

1,000
101001k10kMAX
Current guess
Attempts
0
Elapsed
00:00.0
Rate
— /s
Probability
0.0%
Search space coverage 0 / 10,000
Sound

Shortcuts: Space start / pause · R reset

3

The lesson

What this demo actually tells us.

Short PINs fall instantly

A 4-digit PIN has only 10,000 combinations. A modern CPU can try millions per second — so unprotected, it falls in milliseconds. The demo is throttled so you can watch.

📈 Every extra digit ≈ 10×

Adding 2 digits multiplies the search space by 100× (10²). Going from 4 to 6 digits takes 10,000 → 1,000,000. Going from 4 to 8 makes it 10,000× harder.

🛡️ Rate-limiting is the real defense

Banks lock your card after 3 wrong PINs. Phones add delays after each wrong attempt. The PIN isn't strong — the system around it is. Without that throttle, every short PIN is broken.

🔡 Letters & symbols win

An 8-character lowercase password (26⁸ ≈ 209 billion) crushes any 8-digit PIN (10⁸ = 100 million) by a factor of 2,000. Mix in case + symbols and the gap widens to the trillions.

Compare with passwords — offline crack times

Rough at-rest cracking time, assuming an offline attacker at 10 billion guesses/second (a single modern GPU on a fast hash like MD5/SHA-1). Slower hashes like bcrypt are vastly stronger.

Secret type Combinations Offline time
4 digits 10,000 < 1 µs
6 digits 1,000,000 < 1 ms
8 digits 100,000,000 10 ms
8 letters (lowercase) ~2.1 × 10¹¹ ~21 seconds
10 letters (mixed case) ~1.4 × 10¹⁷ ~5 months
12 chars (letters + digits + symbols) ~9.5 × 10²³ ~3 million years

Disclaimer: Numbers are order-of-magnitude estimates against fast unsalted hashes. Real-world attacks on properly-hashed (bcrypt, Argon2) passwords are millions of times slower; weak/reused passwords get cracked faster via leaked-credential lookup, not raw brute force.

Open Calculator Plug in your own digit-space size and try the math.