Password Strength Checker — What Makes a Password Strong or Weak

A password strength checker estimates how long it would take a cracker to guess your password. The estimate depends on two factors: how many possible passwords exist given your password’s structure (entropy), and what attack method is used.

Most strength meters mislead users by rewarding complexity patterns that crackers handle easily. A password that scores “Very Strong” on a simple meter may crack in seconds against a dictionary+rules attack.

Use the Password Generator to generate passwords that are genuinely strong — not just pattern-complex.

How password strength is measured

Entropy

Entropy is the measure of unpredictability, in bits:

Entropy = log₂(character_space ^ length)

For a 12-character password from a 72-character set:

Entropy = log₂(72¹²) = 12 × log₂(72) ≈ 74 bits

At 100 billion guesses/second (modern GPU cracking rig):

Expected crack time = 2^74 / 10^11 ≈ 189 million years

Higher entropy = more possible passwords = longer to brute-force.

The entropy scale

Context matters: 60 bits is “strong” against brute force but may crack instantly against a leaked-hash dictionary. 80 bits is strong in all realistic scenarios.

What strength meters measure (and get wrong)

Most strength meters check character classes and length:

• Has a lowercase letter? +1
• Has an uppercase letter? +1
• Has a digit? +1
• Has a symbol? +1
• 8+ chars? +1

This scoring rewards Password1! (dictionary word + common substitutions + common suffix) over 7k8mxqp3 (8 random alphanumeric characters). The first is predictable; the second is genuinely random.

Better strength checkers use dictionary pre-filtering: they check if the password (or components of it) appear in wordlists before calculating entropy. Tr0ub4dor&3 would score low because it’s a dictionary word with leet substitutions — a cracking pattern Hashcat knows.

The gold standard tool is zxcvbn (open-source, by Dropbox), which:

1. Checks against a dictionary of 300,000+ words
2. Detects keyboard patterns (qwerty, 12345)
3. Detects date patterns (1990, june2024)
4. Models common substitutions (@ for a, 3 for e)
5. Reports realistic crack times per attack scenario

Real-world password attacks

Understanding attack methods tells you exactly what “strength” means in practice.

Online attacks (rate-limited)

Rate-limited login forms: 10–100 attempts/second at most, often 3–5 before lockout.

Against this: any non-trivial password is safe. Even abc123 is safe if the site locks after 10 failures. The risk here is credential stuffing (using breached passwords from other sites), not brute force.

Offline attacks (hash cracking)

When a database is breached and attackers get password hashes, they crack offline at full GPU speed:

• Consumer GPU: 5–50 billion MD5/SHA1 hashes per second
• Enterprise cracking rig: 300+ billion hashes per second
• Bcrypt/Argon2 (slow hash): 1,000–100,000 per second

Against offline MD5/SHA1: any predictable password cracks quickly. Summer2024! cracks in seconds through rule-based mutations.

Against bcrypt: strength matters much more. 80+ bit entropy passwords are safe even if the hash is compromised.

This is why hashing algorithm matters as much as password strength

A 70-bit entropy password is:

• Against MD5 offline: cracks in ~years on cheap hardware
• Against bcrypt offline: practically uncrackable

Use services that hash with bcrypt, Argon2, or scrypt. Sites that email you your password in plaintext or show it in “forgot password” didn’t hash it — those sites leak your password on breach.

Testing your password’s real strength

Check against breach databases: HaveIBeenPwned has 800+ million breached passwords. Search by hash (privacy-preserving k-anonymity model) to see if your password appears in known breaches.

Use zxcvbn: The Dropbox library gives realistic crack time estimates based on dictionary matching, not just character class counting.

Count entropy yourself:

• Random lowercase only: 4.7 bits/char
• Random lowercase + uppercase: 5.7 bits/char
• Random lowercase + uppercase + digits: 5.95 bits/char
• Random all printable ASCII: 6.57 bits/char

Minimum 12 characters from mixed character set = ~74 bits. Recommended: 16 characters = ~99 bits.

Signs of a genuinely strong password

Strong:

• 16+ characters
• Generated by a cryptographically secure random generator (not typed by a human)
• From a large character set (lowercase + uppercase + digits + symbols)
• Not appearing in any breach database
• Unique (not reused from any other account)

Deceptively weak despite passing basic checkers:

• Th1s!sMySuperS3cureP@ssword — long but based on English phrase with substitutions
• Password123! — dictionary word + common pattern (cracks in seconds)
• Summer@2024 — season + year + symbol (extremely common pattern, explicit cracking rules exist for it)
• CorrectHorseBatteryStaple — famous XKCD passphrase, now in wordlists due to its fame

Generating a strong password

The Password Generator uses crypto.getRandomValues() — cryptographically secure randomness — to generate passwords that are actually unpredictable:

1. Select length (minimum 16, recommended 20+)
2. Include all character types (lowercase, uppercase, digits, symbols)
3. Generate and store in your password manager

Character types available:

• Lowercase (a-z): 26 chars
• Uppercase (A-Z): 26 chars
• Digits (0-9): 10 chars
• Symbols (!@#$%^&*…): 32 chars
• Full printable ASCII: 95 chars

A 16-character password from all 95 printable ASCII characters: ~105 bits entropy. That’s 10^16 years to crack at 100 billion guesses/second.

Related tools

• Password Generator — generate strong random passwords
• How Secure Is My Password — entropy explained in depth
• Passphrase Generator — memorable alternatives to random passwords