Live Demo — Unit 11: Authentication & Attacks

Brute Force Attack Simulator

Enter a short password, watch it get hashed, then watch a brute force attack crack it in real time. This is why password strength matters.

⚠ Educational simulation only — no real systems are involved
Attack Configuration IDLE
Max 6 characters. Shorter = faster crack.
Slow mode is best for live classroom explanation.
Discussion Points
🔢
The Math of Brute Force
A 6-char lowercase password = 26⁶ = 308M combinations. Add numbers and it jumps to 36⁶ = 2.1 billion.
🔑
Why Hashing?
Passwords should never be stored in plain text. A hash is a one-way fingerprint — but brute force reverses it by trying everything.
🧂
Salting Hashes
Adding a random "salt" before hashing makes identical passwords produce different hashes, defeating rainbow table attacks.
🛡️
Real Defense
Length beats complexity. A 16-char passphrase is exponentially harder to crack than an 8-char password with symbols.
Attempts
0
Combinations
Time Elapsed
0.0s
MD5 Hash of Target Password Enter a password and launch the attack to begin.
Current Attempt
———
Progress 0%
⚠ Password Cracked
Attack Log simulated · educational only
$Waiting for input...
Real-World Speed Comparison — MD5 Hashes/Second
Attack Speed by Platform MD5 · hashcat benchmarks
⚠ This demo is ~9,000× slower than your M3 Pro running hashcat, and ~680,000× slower than a single RTX 4090. The concepts are identical — the speed is what changes in the real world.
Crack Time by Charset (8 chars) RTX 4090 · MD5
CHARSET COMBINATIONS TIME
a–z only 208B 3 sec
a–z + 0–9 2.8T 41 sec
a–z + A–Z + 0–9 218T 53 min
Full ASCII (95) 6.6Q 27 hrs
Crack Time by Length (a–z + A–Z + 0–9) RTX 4090 · MD5
LENGTH COMBINATIONS TIME
Key Talking Points for classroom discussion & interview
LENGTH > COMPLEXITY
"correct-horse-battery-staple" (28 chars, all lowercase) takes longer to brute force than "P@ssw0rd!" (9 chars, complex). Every extra character multiplies combinations exponentially.
MD5 IS DEAD
MD5 was designed for speed — 68 billion attempts/second on a single GPU. Modern password storage uses bcrypt, scrypt, or Argon2, which are deliberately slow (~100 hashes/second), making brute force infeasible.
SALTING DEFEATS RAINBOW TABLES
Without a salt, every "password" hashes to the same MD5 string — attackers precompute huge tables. A random salt means "password" + "a8f3k2" produces a unique hash, forcing attackers to brute force each account individually.
THE REAL THREAT IS CREDENTIAL STUFFING
Most real attacks don't brute force — they reuse passwords from data breaches. Have I Been Pwned has 12+ billion leaked credentials. Password reuse across sites is how most accounts actually get compromised.
CIA TRIAD CONNECTION
This demo attacks Confidentiality — the C in CIA. A cracked password means unauthorized access to private data. Authentication controls are the primary defense for the Confidentiality pillar.
DEFENSE RECOMMENDATIONS
Use a passphrase (16+ chars). Never reuse passwords. Enable MFA — even if your password is cracked, a second factor stops the attacker. Use a password manager. These are industry-standard controls, not optional extras.