正在加载,请稍候…

How Strong Is Your Password? A Complete Guide to Password Security

Analyze your password strength instantly. Learn what makes a password secure and how attackers crack weak ones.

What Makes a Password "Strong"?

Password strength is measured by entropy — the amount of unpredictability in a password. The more entropy, the longer it takes to crack. Entropy depends on two factors: the size of the character pool used (uppercase, lowercase, digits, symbols) and the length of the password.

Formula: Entropy = L × log₂(N)

Where L = password length and N = number of possible characters.

Character Set Pool Size 12-char entropy
Digits only 10 39.9 bits
Lowercase only 26 56.4 bits
Alpha + digits 62 71.5 bits
Full ASCII printable 95 78.9 bits

A 12-character password using the full ASCII set has ~79 bits of entropy — adequate for most purposes, assuming the hashing is done properly.

Real-World Crack Times

Crack time depends on the hashing algorithm used to store the password and the attacker's hardware. Using bcrypt (cost 12) on a single GPU:

Password Entropy Crack Time
password Very low Instant (dictionary)
P@ssw0rd ~28 bits Seconds
abc12345 ~38 bits Minutes
mK7#vQ2p ~52 bits Years
Correct-Horse-Battery ~51 bits Centuries
X7#kLm$9pQr@2vN ~97 bits Billions of years

These numbers assume offline cracking (the attacker has the hash database). Online attacks (guessing through a login form) are throttled by rate limiting — even weak passwords survive online attacks if the service implements account lockout.

Common Attack Methods

Dictionary Attacks

Attackers try known passwords from massive wordlists (RockYou, Have I Been Pwned) and their common mutations: password123, P@ssword, passw0rd. These cover the majority of real-world weak passwords.

Brute Force

Try every possible combination. Practical only for short passwords — 8 characters or fewer with limited character sets.

Credential Stuffing

Use username/password pairs leaked from other breaches. If you reuse passwords across sites, a breach at any one site compromises all your accounts.

Rainbow Tables

Precomputed tables of hashes for common passwords. Defeated by salting (modern hashing libraries always salt).

Password Spraying

Try a small set of common passwords across many accounts to avoid lockout thresholds.

What This Tool Measures

This password strength analyzer evaluates:

  • Entropy calculation — Based on character pool × length.
  • Pattern detection — Keyboard walks (qwerty, 12345), dates (19901231), repeated characters (aaabbb).
  • Dictionary check — Tests against common password patterns and substitutions.
  • Estimated crack time — Given different attack scenarios (online throttled, offline fast hash, offline bcrypt).
  • Compliance feedback — Whether the password meets common requirements (8+ chars, uppercase, number, symbol).

Best Practices for Strong Passwords

Use a Password Manager

Applications like Bitwarden (open source), 1Password, or KeePass generate and store truly random passwords — you never have to remember them. This allows you to use a unique, long, random password for every account.

Passphrases Are Underrated

Four random words ("correct horse battery staple") may be easier to remember than "X7#kLm$9" while actually providing more entropy. The key word is random — "sunshine puppy rainbow" doesn't count.

Enable Two-Factor Authentication

Even a weak password is much safer with 2FA enabled. An attacker who somehow obtains your password still can't log in without your second factor.

Never Reuse Passwords

Password reuse is the #1 reason breaches cascade. Use a unique password for every account — a password manager makes this trivially easy.

Check If Your Password Has Been Breached

The Have I Been Pwned service maintains a database of billions of leaked credentials. If your password appears in a breach, change it immediately.

Corporate Password Policies: NIST Guidelines

The National Institute of Standards and Technology (NIST SP 800-63B) updated its password guidance in 2017 with evidence-based recommendations:

  • Minimum 8 characters (prefer longer)
  • No mandatory complexity rules (they don't improve security and frustrate users)
  • No mandatory periodic rotation (unless there's evidence of compromise)
  • Check passwords against breach databases
  • Allow pasting passwords (it helps users use password managers)

Many organizations still enforce outdated policies (expire every 90 days, must include symbol, can't reuse last 12) that NIST now discourages.

→ Try the Password Strength Analyser