What Makes a Password Strong?
A strong password has two fundamental properties: sufficient length and genuine randomness. Length determines how many character positions an attacker must guess, while randomness ensures that each position is unpredictable. Together, these properties create exponential difficulty for brute-force attacks. A 12-character password drawn from the full 95-character printable ASCII set has about 79 bits of entropy, meaning an attacker would need to try roughly 2^79 combinations — a number so large that even a cluster of GPUs running 10 billion guesses per second would need billions of years.
However, not all long passwords are strong. A 20-character password consisting of a single repeated character has effectively zero entropy. Similarly, a password composed of dictionary words strung together predictably (such as a famous phrase or song lyric) is vulnerable to dictionary and rule-based attacks that test known word combinations. True strength comes from cryptographic randomness, where each character is selected independently from the full character set.
Understanding Entropy and Crack Time
Entropy is measured in bits and represents the number of binary decisions needed to uniquely identify a password. The formula is straightforward: entropy equals the password length multiplied by the base-2 logarithm of the character set size. Each additional bit of entropy doubles the number of possible passwords, making brute-force attacks exponentially harder. This is why even small increases in entropy translate to dramatically longer crack times.
Crack time estimates assume a specific attack speed. Our checker uses 10 billion guesses per second, which represents a well-funded attacker with a modern GPU cluster running optimized code against a weak hash. Against a service using a slow hash function like bcrypt with a high work factor, actual crack times would be thousands of times longer. Conversely, against an unsalted MD5 hash, attacks can be even faster. The estimates provide a conservative baseline for evaluating your password.
Common Weak Password Patterns to Avoid
Attackers do not simply try every possible combination in order. They use sophisticated strategies that exploit human behavior. Dictionary attacks test common words and phrases. Rule-based attacks apply transformations like appending numbers, capitalizing the first letter, or replacing letters with similar-looking digits (a technique called leet speak). Hybrid attacks combine dictionary words with brute-force permutations. Credential stuffing uses passwords leaked from other breaches.
The patterns most commonly exploited include sequential numbers and letters, keyboard walks (patterns traced on the keyboard like qwerty or zxcvbn), repeated characters, personal information such as names and birth dates, and simple modifications of common words. If your password follows any of these patterns, its effective entropy is far lower than the theoretical maximum, and it can likely be cracked in minutes or hours rather than centuries.
How to Improve Your Password Security
The single most effective step is to use a password manager and generate a unique random password for every account. This eliminates password reuse — the most dangerous practice in personal security — and allows you to use maximally strong passwords without needing to remember them. For the few passwords you must memorize (your password manager master password and your computer login), use a randomly generated passphrase of five or more words.
Enable two-factor authentication wherever possible. Even a strong password can be compromised through phishing, malware, or server-side breaches. A second factor — preferably a hardware security key or authenticator app — adds a layer of defense that a stolen password alone cannot bypass. Regularly check whether your credentials have appeared in known data breaches using services like Have I Been Pwned, and change any compromised passwords immediately.
Crack Time vs Real-World Risk: What the Numbers Actually Mean
The crack-time number this tool produces is a useful proxy but it is not a guarantee. Real attacks rarely run at the theoretical worst case. The same password can be uncrackable against one service and trivially broken against another, depending entirely on what the service does with the password before storing it. Understanding the gap between “estimated crack time” and “real-world risk” is what separates a useful number from a misleading one.
| Hash Algorithm | GPU Speed (RTX 4090) | Effective Slowdown |
|---|---|---|
| MD5 (unsalted) | ~200 billion / sec | Baseline (fastest) |
| SHA-1 | ~70 billion / sec | ~3x slower |
| SHA-256 | ~25 billion / sec | ~8x slower |
| bcrypt (cost 12) | ~10,000 / sec | ~20 million x slower |
| scrypt (default) | ~5,000 / sec | ~40 million x slower |
| Argon2id (m=64MB, t=3) | ~500 / sec | ~400 million x slower |
A password rated “crackable in one hour” against MD5 would survive about 23 years against bcrypt at cost factor 12. The same password against Argon2id with reasonable parameters would survive over a thousand years. The hash function is doing most of the security work, and the choice is entirely up to the service you signed up with — you usually have no way to know which one they use until they get breached.
There are also factors that make real-world risk worse than the number suggests. Targeted attackers know your name, employer, hometown, and birth date and will weight their guesses toward those values, making patterns like YourCity1985! fall in seconds even though the entropy formula treats them as “medium.” Credential reuse means a strong password is only as strong as the weakest site you used it on. Phishing and malware bypass crack time entirely; the password is handed over or read off the keyboard.
The right way to read this tool's output is as a lower bound on safety, not an upper bound. If the checker says your password would survive 100 years against a fast hash, you are probably fine for most accounts. If it says minutes or hours, treat the password as already compromised and replace it. The middle ground (days to years against MD5) is where the choice of service hash function decides everything, so default to assuming the worst.
What to Do If Your Password Is Weak
A weak rating is not a verdict, it is a prompt. The fix is mechanical and takes about five minutes per account. The order matters: if you change a password without updating your manager and enabling 2FA in the same session, you will likely lock yourself out or forget the new credential within a week.
- Triage by account value first. Before changing anything, list the accounts that can compromise others: your primary email, your password manager, your phone account (which receives SMS 2FA), your password recovery email if different. Fix those first. A weak Spotify password is annoying; a weak primary email password is catastrophic.
- Generate a replacement using a CSPRNG-backed tool.Use this site's password generator or any reputable client-side option. Pick the longest length the service accepts. Do not type a new password yourself; the whole point is to escape human-chosen patterns.
- Save it in your password manager before pasting it anywhere.The most common failure mode when changing a password is generating it, pasting it into the “new password” field, submitting, and then realizing you never copied it into your manager. Save first, paste second.
- Change the password on the actual service. Log into the account, navigate to security or password settings, and update. Watch for sites that silently truncate long passwords (a few legacy systems still do this) — if your 32-character password gets cut to 16, the site has just halved your security and you should know.
- Enable two-factor authentication immediately. While you are in the security settings, turn on TOTP (Aegis, 2FAS, Google Authenticator) or, ideally, register a hardware key (YubiKey, SoloKey). Save the recovery codes in your password manager. SMS is acceptable as a fallback but not as a primary second factor.
- Sign out everywhere.Most major services offer a “sign out of all sessions” or “revoke all devices” option in security settings. Use it. If your old weak password was stolen, the attacker may have an active session that the password change does not invalidate by default.
- Check Have I Been Pwned for the old password. If your old weak password appears in any leaked breach, assume it was already in active use by attackers. You may need to also reset accounts where you reused that exact password — yes, this is the moment to confront that pile of accounts you have not thought about in years.
- Set a calendar reminder for any account where 2FA is not available. If a service refuses to offer 2FA, your only defense is the password itself. Audit those accounts every six months and rotate their passwords more aggressively, especially if any related service suffers a breach.
The work compounds in your favor. The first ten accounts take an hour. The next ten take twenty minutes because you have a workflow. Within a few weeks of opportunistic upgrades — every time you log into a site, check the password and replace it if it is weak — your entire credential surface drifts toward strong-and-unique without any single dedicated session of effort.
Frequently Asked Questions
How does the password strength checker work?
The checker analyzes your password locally in your browser. It calculates entropy based on the character set used and password length, estimates crack time assuming 10 billion guesses per second, counts character types (uppercase, lowercase, numbers, symbols), and checks for common patterns and weaknesses.
Is it safe to enter my real password here?
Yes. All analysis happens entirely in your browser using JavaScript. Your password is never transmitted over the network, stored in any database, or logged anywhere. You can verify this by disconnecting from the internet — the tool works fully offline.
What does password entropy mean?
Entropy measures the unpredictability of a password in bits. It is calculated as length times log2(charset size). Higher entropy means more possible combinations and exponentially longer brute-force times. A password with 60 bits of entropy has 2^60 (about 1.15 quintillion) possible combinations.
What is a good entropy score for a password?
Below 40 bits is considered weak and can be cracked quickly. Between 40-60 bits is fair for low-risk accounts. Between 60-80 bits is strong and suitable for most accounts. Above 80 bits is considered unbreakable by current technology and is recommended for high-value targets.
How is crack time estimated?
We assume an attacker using a modern GPU cluster capable of 10 billion guesses per second. The time is calculated as 2^entropy divided by 10 billion. This represents a well-funded, sophisticated attack using current hardware. Real-world attacks may be slower or faster depending on the hashing algorithm used by the service.
Why does my password show warnings even though it is long?
Length is only one factor. A long password using only lowercase letters has significantly less entropy per character than one using mixed case, numbers, and symbols. Additionally, common patterns (repeated characters, keyboard walks, dictionary words) reduce effective entropy regardless of length.
What are the most common weak password patterns?
The most common weak patterns include: sequential numbers (123456), repeated characters (aaaaaa), keyboard walks (qwerty, asdfgh), dictionary words (password, welcome), names with numbers (john123), and dates (19901225). All of these are tried first in any dictionary-based attack.
Should I change my password if the checker says it is weak?
Yes, especially for important accounts like email, banking, and any account that could be used for password resets. Use our password generator to create a strong, random replacement. Store the new password in a reputable password manager so you do not need to memorize it.