What Makes a Password "Strong"?
Password strength is measured by entropy — the amount of unpredictability in a password. The more entropy, the longer it takes to crack. Entropy depends on two factors: the size of the character pool used (uppercase, lowercase, digits, symbols) and the length of the password.
Formula: Entropy = L × log₂(N)
Where L = password length and N = number of possible characters.
| Character Set | Pool Size | 12-char entropy |
|---|---|---|
| Digits only | 10 | 39.9 bits |
| Lowercase only | 26 | 56.4 bits |
| Alpha + digits | 62 | 71.5 bits |
| Full ASCII printable | 95 | 78.9 bits |
A 12-character password using the full ASCII set has ~79 bits of entropy — adequate for most purposes, assuming the hashing is done properly.
Real-World Crack Times
Crack time depends on the hashing algorithm used to store the password and the attacker's hardware. Using bcrypt (cost 12) on a single GPU:
| Password | Entropy | Crack Time |
|---|---|---|
password |
Very low | Instant (dictionary) |
P@ssw0rd |
~28 bits | Seconds |
abc12345 |
~38 bits | Minutes |
mK7#vQ2p |
~52 bits | Years |
Correct-Horse-Battery |
~51 bits | Centuries |
X7#kLm$9pQr@2vN |
~97 bits | Billions of years |
These numbers assume offline cracking (the attacker has the hash database). Online attacks (guessing through a login form) are throttled by rate limiting — even weak passwords survive online attacks if the service implements account lockout.
Common Attack Methods
Dictionary Attacks
Attackers try known passwords from massive wordlists (RockYou, Have I Been Pwned) and their common mutations: password123, P@ssword, passw0rd. These cover the majority of real-world weak passwords.
Brute Force
Try every possible combination. Practical only for short passwords — 8 characters or fewer with limited character sets.
Credential Stuffing
Use username/password pairs leaked from other breaches. If you reuse passwords across sites, a breach at any one site compromises all your accounts.
Rainbow Tables
Precomputed tables of hashes for common passwords. Defeated by salting (modern hashing libraries always salt).
Password Spraying
Try a small set of common passwords across many accounts to avoid lockout thresholds.
What This Tool Measures
This password strength analyzer evaluates:
- Entropy calculation — Based on character pool × length.
- Pattern detection — Keyboard walks (
qwerty,12345), dates (19901231), repeated characters (aaabbb). - Dictionary check — Tests against common password patterns and substitutions.
- Estimated crack time — Given different attack scenarios (online throttled, offline fast hash, offline bcrypt).
- Compliance feedback — Whether the password meets common requirements (8+ chars, uppercase, number, symbol).
Best Practices for Strong Passwords
Use a Password Manager
Applications like Bitwarden (open source), 1Password, or KeePass generate and store truly random passwords — you never have to remember them. This allows you to use a unique, long, random password for every account.
Passphrases Are Underrated
Four random words ("correct horse battery staple") may be easier to remember than "X7#kLm$9" while actually providing more entropy. The key word is random — "sunshine puppy rainbow" doesn't count.
Enable Two-Factor Authentication
Even a weak password is much safer with 2FA enabled. An attacker who somehow obtains your password still can't log in without your second factor.
Never Reuse Passwords
Password reuse is the #1 reason breaches cascade. Use a unique password for every account — a password manager makes this trivially easy.
Check If Your Password Has Been Breached
The Have I Been Pwned service maintains a database of billions of leaked credentials. If your password appears in a breach, change it immediately.
Corporate Password Policies: NIST Guidelines
The National Institute of Standards and Technology (NIST SP 800-63B) updated its password guidance in 2017 with evidence-based recommendations:
- Minimum 8 characters (prefer longer)
- No mandatory complexity rules (they don't improve security and frustrate users)
- No mandatory periodic rotation (unless there's evidence of compromise)
- Check passwords against breach databases
- Allow pasting passwords (it helps users use password managers)
Many organizations still enforce outdated policies (expire every 90 days, must include symbol, can't reuse last 12) that NIST now discourages.
→ Try the Password Strength Analyser