πŸ’ͺ Password Strength Meter

Last updated: May 28, 2026

Password Strength Meter

Entropy-based analysis Β· Time-to-crack estimate Β· 100% local, zero data sent

Estimated Time to Crack (1T guesses/sec GPU cluster)
Your password never leaves this page. Analysis runs entirely in your browser.

What Password Strength Meters Actually Measure β€” and Why Most of Them Lie to You

You've seen them everywhere: the little colored bar that turns green when you add a capital letter and an exclamation mark. Congratulations, your password is strong! But is "Summer2024!" actually strong? Any competent attacker will crack it in under four hours on consumer hardware. That progress bar lied to you, and the reason why reveals something fundamental about how password security actually works.

Real password strength isn't about following a checklist. It's about entropy β€” the measure of unpredictability in your password expressed in bits. Entropy tells an attacker how much work they must do to guess your password through brute force. Every bit of entropy you add doubles the number of guesses required. A 40-bit password needs roughly a trillion guesses to crack. A 60-bit password needs a quadrillion. At 80 bits, we're talking about astronomical timescales even for a nation-state's computing resources. The difference between these thresholds isn't linear β€” it's exponential, and that distinction changes everything about how you should think about password creation.

The Math Behind Entropy Scoring

Calculating password entropy starts with the character pool your password draws from. If you use only lowercase letters, your pool is 26 characters. Add uppercase and you have 52. Add digits and you're at 62. Add symbols and you reach roughly 94 printable ASCII characters. The entropy formula is simple: multiply the length of your password by the base-2 logarithm of the character pool size. A 10-character lowercase-only password has 10 Γ— logβ‚‚(26) β‰ˆ 47 bits of entropy. Swap in a mixed character set and that same 10-character password jumps to 10 Γ— logβ‚‚(94) β‰ˆ 66 bits.

But raw entropy from character pool size is only half the story. A naive entropy calculator would score "Aaaaaaaa1!" higher than it deserves because it ignores the structural weaknesses that attackers exploit first. Modern password cracking doesn't start with random character combinations β€” it starts with known patterns. Dictionary words, common substitutions (@ for a, 3 for e, 0 for o), keyboard walks like "qwerty" or "asdfgh", and the #1 password habit of every human being: a capitalized word followed by a few numbers and a symbol at the end.

A well-calibrated strength meter applies penalty deductions for these patterns before rendering a verdict. "Password123!" has technically respectable raw entropy, but it contains the word "password" β€” a word that appears in every cracking dictionary on earth β€” and follows the most predictable capitalization and suffix pattern imaginable. Adjusted entropy: substantially lower. Realistic crack time: far shorter than the raw math would suggest.

Time-to-Crack: The Number That Actually Matters

Entropy bits are precise but abstract. Time-to-crack translates the math into a human-legible threat model. The standard benchmark used by security researchers is approximately one trillion guesses per second β€” achievable with a modern high-end GPU cluster, which costs a few thousand dollars to rent from a cloud provider. Against that benchmark, a 40-bit password falls in about one second. A 50-bit password holds out for roughly 17 minutes. A 60-bit password survives for about 13 days. At 80 bits, you're looking at millions of years.

These numbers assume offline attacks β€” scenarios where an attacker has obtained a stolen hash database and can run guesses locally at full speed. Online attacks against login forms are far slower due to rate limiting and account lockouts, which is why even relatively weak passwords survive against live systems. The dangerous scenario is when a service gets breached, the hashed passwords get dumped, and attackers go to work offline. That's when entropy matters most, and that's what a serious strength meter should be modeling.

It's worth noting that "cracking" in this context means finding your specific password, not just any password. An attacker targeting a specific account needs to find your exact credential. An attacker vacuuming credentials from a breach dump only needs to crack each hash once and may already have your password in a pre-computed rainbow table. Using a unique, high-entropy password for every service means that even a successful breach of one site yields nothing reusable elsewhere.

Why "Password Rules" Are Counterproductive

The National Institute of Standards and Technology (NIST) revised its digital identity guidelines in 2017, and again with more authority in 2024, to explicitly reject the complexity rules that have dominated corporate IT policy for two decades. Mandatory uppercase, numbers, symbols, and frequent forced rotations don't improve security β€” they improve the appearance of security while training users into predictable workarounds. When forced to include a capital letter, 85% of users capitalize the first character. When forced to include a number, most users append it at the end. These are the first patterns any cracker tries.

NIST's current guidance focuses on three things instead: length (minimum 8, ideally 15+), checking against known-compromised passwords, and no mandatory periodic rotation unless evidence of compromise exists. Length is the dominant factor in entropy because every character added multiplies the search space by the entire pool size. A 20-character lowercase passphrase has more raw entropy than a 10-character password using every character type.

The Passphrase Advantage

Security professionals increasingly favor passphrases β€” sequences of several unrelated common words β€” over traditional complex passwords. "correct horse battery staple" (popularized by the webcomic XKCD) has approximately 44 bits of entropy per the Diceware word list methodology, and far higher entropy by character pool calculation. More importantly, it's memorable, which means users won't write it on a sticky note or reuse it across dozens of sites.

The power of a passphrase comes from combinatorial explosion across word choices. If you're selecting from a list of 7,776 words (the standard Diceware list), four words gives 7,776⁴ β‰ˆ 3.6 Γ— 10¹⁡ combinations. Five words gives 2.8 Γ— 10¹⁹. Add minor variations β€” a number, a symbol, mixed case on one word β€” and you get entropy in the 70–90 bit range with something a human can reasonably memorize. A password manager is still preferable for most use cases, but passphrases fill the gap for master passwords and critical accounts where memorability matters.

What a Strength Meter Cannot Tell You

Even a perfectly calibrated strength meter has blind spots. It can't know whether your password has already been exposed in a data breach β€” for that, services like Have I Been Pwned maintain databases of billions of real-world compromised credentials and let you check safely via a k-anonymity API. A password that scores "Very Strong" by every entropy metric is still worthless if it appears in a breach dump.

A strength meter also can't assess reuse. A 90-bit entropy password used across fifty accounts is fifty times as dangerous as the same password used on one account β€” one breach anywhere exposes everything. Password managers solve both problems: they generate high-entropy unique passwords for every site and let you audit for reuse and known breaches in one place.

Use a strength meter as a calibration tool, not a seal of approval. Understanding entropy, recognizing weak patterns, and building the habit of generating long, unique, random credentials for every account β€” that's what real password security looks like. The colored bar is just the beginning.

FAQ

What does 'entropy' mean in the context of password strength?
Entropy, measured in bits, quantifies how unpredictable your password is. Each additional bit doubles the number of guesses an attacker needs to crack it. A password with 60 bits of entropy requires about 2^60 (over a quadrillion) guesses to guarantee cracking β€” far more than one with 40 bits, which requires only about a trillion. It's a much more reliable measure than simple complexity checklists.
How is the time-to-crack estimate calculated?
The estimate is based on the adjusted entropy of your password converted into the number of possible combinations (2^entropy), then divided by a benchmark cracking rate of 1 trillion guesses per second β€” achievable by a modern GPU cluster. This models an offline attack where an attacker has obtained a hashed password database and is running guesses locally at full speed, which is the most dangerous real-world scenario.
Why does the meter deduct points for common words even if my password is long?
Password cracking tools don't start with random character guesses β€” they start with word lists, common patterns, and known substitutions. A password containing 'password', 'admin', 'qwerty', or similar terms will be tried very early in any attack regardless of length. Applying deductions for these patterns gives you a more realistic security estimate than raw character-pool entropy alone.
Is my password sent to any server when I use this tool?
No. The entire analysis runs in JavaScript inside your browser. Your password is never transmitted anywhere β€” there are no server requests, no logging, and no external API calls of any kind. You can verify this by checking your browser's network tab while using the tool.
Why does NIST no longer recommend mandatory complexity rules like 'must include uppercase and symbol'?
NIST's updated guidelines (SP 800-63B) found that rigid complexity rules train users into predictable patterns β€” capitalizing only the first letter, appending numbers at the end, using '@' for 'a'. These patterns are exactly what modern crackers try first. NIST now recommends prioritizing length, checking against known-compromised password lists, and eliminating forced periodic rotation unless there's evidence of compromise.
How long should my password actually be to be considered secure?
For accounts that could be exposed in a breach and subjected to offline cracking, aim for at least 12 characters with a mixed character set (roughly 72+ bits adjusted entropy), or a passphrase of 4–5 unrelated words. For master passwords to a password manager or encryption key, 16+ characters or a 5-word passphrase gives 80+ bits of entropy β€” enough to withstand attacks even from well-resourced adversaries for centuries at current computing speeds.