Logo

MonoCalc

/

Hash Cracking Simulator

Encode/Decode

Live Hash Generator

MD5

Deprecated

SHA-1

Deprecated

SHA-256

Adequate

SHA-512

Recommended

Attack Configuration

Dictionary Options

Built-in wordlist: 20 common passwords included automatically.

Results

Idle

Attempts

0

Elapsed

0.0s

Attempts/sec

0

About This Tool

Understanding Hash Cracking: How Attackers Reverse Password Hashes

When websites store passwords, they rarely save the raw text. Instead, they run the password through a cryptographic hash function — a one-way mathematical operation that transforms any input into a fixed-length string of hexadecimal characters. For example, password123 becomes 482c811da5d5b4bc6d497ffa98491e38 under MD5. Hash cracking is the process of working backwards from that digest to find the original plaintext — something hash functions are explicitly designed to make difficult.

This simulator demonstrates the three principal attack strategies used by security researchers and adversaries alike: dictionary attacks, brute-force enumeration, and rainbow table lookups. All computation runs entirely in your browser — no data leaves your machine.

Dictionary Attacks

The fastest and most effective method against real-world passwords is the dictionary attack. Attackers compile wordlists containing millions of common passwords, phrases, keyboard patterns, and leaked credentials from previous breaches. For every candidate in the list, the tool hashes it and compares the result to the target hash. Because most users choose predictable passwords, dictionary attacks succeed surprisingly often.

Modern wordlists like rockyou.txt contain over 14 million entries. Advanced tools apply rule-based mutations — capitalising the first letter, appending numbers, substituting @ for a — multiplying the effective size of the list without requiring more storage. This simulator lets you test a built-in top-20 list or paste your own wordlist to see the concept in action.

Brute-Force Enumeration

When a wordlist fails, attackers fall back to brute-force: systematically generating every possible string within a given character set and length. A six-character lowercase password has 26⁶ ≈ 308 million possibilities. Adding uppercase letters and digits raises that to 62⁶ ≈ 56 billion. With a modern GPU capable of computing billions of MD5 hashes per second, six-character passwords fall in seconds; eight-character passwords with full character sets can still be cracked within hours on a powerful rig.

In this browser-based simulator, speed is intentionally limited because JavaScript is single-threaded and lacks GPU access. The purpose is conceptual: to show how the search space grows exponentially with each additional character and how quickly simple passwords are exhausted.

Longer passwords resist brute-force
Every extra character in a password multiplies the brute-force search space by the size of the character set. A 12-character random password from a full set is effectively immune to brute-force with current hardware — even nation-state resources would take centuries.

Rainbow Table Lookups

A rainbow table is a precomputed data structure mapping hash values back to their original plaintexts. Construction is expensive — billions of hashes must be computed and stored — but lookups are essentially instantaneous (O(1)). This makes rainbow tables devastating against weak, unsalted hashes: given a leaked MD5 digest, an attacker can identify the plaintext in milliseconds using a pre-built table.

The rainbow table demo in this tool uses a small built-in set of common MD5 and SHA-1 mappings. You can also upload a CSV file with hash,plaintext columns to simulate a custom table lookup.

Salting: The Defender's Countermeasure

The primary defense against both dictionary attacks and rainbow table lookups is a cryptographic salt — a unique, random value concatenated with the password before hashing. Because every user gets a different salt, two users with the same password produce completely different hashes. Pre-built rainbow tables become useless, and attackers must restart their dictionary or brute-force effort for each individual hash.

Modern password-hashing algorithms — bcrypt, Argon2, and scrypt — build salting in automatically and also apply a work factor: deliberately slowing down the hash computation to make mass cracking impractical. This tool's salt field lets you see firsthand how even a short salt completely changes the hash output, breaking any precomputed lookup.

Algorithm Security

Not all hash algorithms offer the same protection. MD5 and SHA-1 were designed for speed and data integrity, not password storage. Their speed — billions of hashes per second on a GPU — makes them poor choices for passwords. SHA-256 and SHA-512 are cryptographically stronger but still fast enough to be vulnerable without proper salting and stretching. Purpose-built password hashing functions like bcrypt, Argon2, and scrypt remain the recommended approach for any production system.

Use this simulator to explore these concepts safely, understand the importance of strong hashing practices, and appreciate why password length, randomness, and proper storage algorithms are the real keys to security.

Frequently Asked Questions

Is the Hash Cracking Simulator free?

Yes, Hash Cracking Simulator is totally free :)

Can I use the Hash Cracking Simulator offline?

Yes, you can install the webapp as PWA.

Is it safe to use Hash Cracking Simulator?

Yes, any data related to Hash Cracking Simulator only stored in your browser (if storage required). You can simply clear browser cache to clear all the stored data. We do not store any data on server.

How does the Hash Cracking Simulator work?

The simulator accepts a target hash and attempts to reverse-engineer the original plaintext using one of three attack modes: dictionary attack (tests words from a built-in or custom wordlist), brute-force enumeration (systematically generates all possible strings up to a given length), or rainbow table demo (performs an O(1) lookup in a precomputed hash-to-plaintext CSV). All computation runs entirely in your browser — no data is ever sent to a server.

Which hash algorithms are supported?

The tool supports MD5 (32-char hex), SHA-1 (40-char hex), SHA-256 (64-char hex), and SHA-512 (128-char hex). SHA-256 and SHA-512 use the native Web Crypto API for maximum speed; MD5 and SHA-1 use a lightweight JavaScript implementation. The algorithm security level is shown with a colour-coded badge.

Why is brute-force so slow compared to real cracking tools?

This tool runs in a browser using JavaScript, which is single-threaded and much slower than GPU-based offline crackers (which can test billions of hashes per second). The simulator is intentionally throttled to illustrate the concept; real crackers like Hashcat or John the Ripper leverage GPU parallelism. Use the throttle slider to adjust the simulation speed.

What is a rainbow table and why is it effective?

A rainbow table is a precomputed dictionary mapping hash values to their original plaintexts. Looking up a hash is O(1) — instant regardless of password complexity. Rainbow tables make unsalted weak passwords trivially crackable. Adding a unique salt defeats rainbow tables because the attacker would need a separate table for every possible salt value.

How does salting protect against these attacks?

A salt is a random string appended or prepended to the password before hashing. Even if two users have the same password, their hashes differ because their salts differ. This makes both rainbow table lookups and dictionary attacks much harder, since the attacker must recompute hashes for every possible salt. This tool lets you add a salt to observe the effect firsthand.

Is it safe to enter real passwords or hashes here?

All computation happens locally in your browser using Web Crypto API and pure-JS implementations — nothing is transmitted to any server. That said, as a best practice, use test or dummy passwords rather than real production credentials in any web tool.