REPLOCK

🔢 Keypad Combination Calculator

See how many codes a keypad lock or PIN pad can hold, and how a code length, a bigger keypad, no-repeat rules, and a lockout each change how long a brute-force attacker would need.

10 for a digits-only keypad; 12 adds ✱ and #.
0 = no lockout.

🔢 Keypad code strength

Possible codes
10,000
Average time to crack
1.4 hours
Worst-case time to crack
2.8 hours
With repeats
104 space

Crack times assume the attacker tries codes at the rate above; on average a code is found halfway through the space. A lockout that pauses after a few wrong tries is the single most effective thing a keypad can do — see how a short wait turns minutes into years. An educational estimate, not a security guarantee.

Length, keys, and the lockout

The size of a keypad’s code space grows exponentially with length: every extra digit multiplies the number of possibilities. But raw size isn’t the whole story. Whether keys can repeat, how many keys the pad has, and — above all — whether the lock imposes a delay after wrong guesses decide how practical a brute-force attack really is.

Try it: a 4-digit code looks weak at 10,000 possibilities, yet add a lockout that waits five minutes after every five wrong tries and the worst-case attack balloons from hours into years. That is why a modest code plus a lockout beats a long code with none.

❓ Frequently Asked Questions

How many combinations does a 4-digit keypad have?

A 4-digit code drawn from 10 keys (0–9) has 10⁴ = 10,000 possible combinations. Add a fifth digit and it jumps to 100,000; each extra digit multiplies the space by ten. A keypad with letters or the ✱ and # keys has even more per position.

What does 'no repeats' change?

If a code can't reuse a key, the count is a permutation instead of a power: the first position has D choices, the next D−1, and so on. A 4-digit no-repeat code from 10 keys has 10×9×8×7 = 5,040 combinations — far fewer than the 10,000 you get when repeats are allowed.

How long would it take to guess a code?

That depends entirely on how fast an attacker can try codes and whether the lock fights back. At one guess per second with no lockout, 10,000 codes take under three hours worst case. But a lockout that pauses for a few minutes after a handful of wrong tries stretches the same attack into years — which is exactly why keypads have them.

Are more digits always better?

Longer codes are exponentially harder to brute-force, but only if they're chosen randomly. A long code that's a birthday or 1234 is weak regardless of length. Combine a reasonable length, avoid obvious patterns, and rely on a lockout to defeat rapid guessing.

Is this a security guarantee?

No. This is an educational estimate of the brute-force search space and time. Real-world attacks may use leaked codes, shoulder-surfing, wear marks on keys, or default codes rather than blind guessing. Change factory codes, avoid patterns, and enable lockout.