πŸ’» Text & Dev

πŸ”’ πŸ”’ Password Strength Checker: How Password Strength Is Measured

Learn how password strength checkers evaluate your password. Covers entropy scoring, pattern detection, common weakness checks, zxcvbn algorithm, and what makes passwords actually strong.

⏱️ 8 min read🦉 365tool.net🌍 For everyone worldwide

Password strength checkers vary wildly in quality. Some check only length and character types, giving P@ssw0rd a high score despite it being one of the most common passwords in breach databases. The best modern checkers β€” like Dropbox's open-source zxcvbn β€” estimate real-world crackability by simulating how actual attackers approach password guessing. Understanding how these tools work helps you create passwords that are genuinely resistant to attack.

What Naive Password Checkers Miss

Many password strength meters score based only on:

  • Length (number of characters)
  • Presence of uppercase letters
  • Presence of lowercase letters
  • Presence of numbers
  • Presence of symbols

By these rules, "P@ssw0rd1!" scores as "strong" β€” it's 10 characters, uses upper, lower, number, and symbol. In reality, it appears in virtually every password attack dictionary and would be cracked almost instantly.

The problem: naive checkers don't account for predictable patterns.

The zxcvbn Algorithm: Realistic Strength Estimation

Dropbox open-sourced zxcvbn in 2012 as a more realistic password strength estimator. It simulates how attackers actually crack passwords by checking a password against multiple attack vectors:

  1. Dictionary attacks: Checks the password and its variations against 30,000+ common passwords (including the most common breach passwords), English words, names, dates, and popular culture references
  2. Keyboard pattern detection: Recognizes patterns like "qwerty," "12345," "zxcvbn," and keyboard walks across any keyboard layout
  3. L33t substitutions: Automatically evaluates common substitutions like a→@, e→3, i→1, o→0, s→$ against its dictionaries
  4. Repeat/sequence detection: Identifies repeated characters ("aaaa"), repeated patterns, and alphabetical/numeric sequences
  5. Date patterns: Recognizes dates in various formats (1990, 19901231, 12/31/1990)

The result is a crack time estimate (e.g., "3 hours online" or "centuries offline") rather than just a score, which is far more meaningful.

Understanding Crack Time Estimates

Password cracking difficulty depends on whether the attack is:

  • Online attack (throttled): An attacker trying passwords through a website login page. Typically rate-limited to 10–100 guesses per second by the server. Even a moderately weak password might take days.
  • Online attack (unthrottled): A system without rate limiting. 1,000 guesses/second is realistic.
  • Offline attack (slow hash): An attacker who has obtained hashed passwords from a database breach and is cracking them locally. Using bcrypt, Argon2: ~10,000 guesses/second per GPU.
  • Offline attack (fast hash): Same, but with MD5 or SHA-1 hashes. Modern GPUs: billions of guesses per second.

This is why the hash algorithm used to store passwords matters enormously. A password that would take centuries against bcrypt might fall in minutes against an MD5 hash.

What Actually Makes Passwords Strong

Length is the dominant factor

Increasing password length has an exponential effect on crack time. Adding one character from a 95-character set multiplies crack time by 95. Adding two characters multiplies by 9,025.

Unpredictability beats complexity

A password that passes all character type requirements but follows a predictable pattern is weak. "Summer2024!" looks complex but an attacker will try "Season + Year + Symbol" patterns early in their attack. "xK$m9vL#wP2q" is genuinely harder despite similar apparent complexity.

Uniqueness across sites

The second most important factor after length is using a different password for every account. Password reuse means one breach exposes all your accounts β€” credential stuffing attacks try stolen username/password pairs across hundreds of services automatically.

Common Password Weaknesses

Weakness Pattern Examples How Fast Cracked
Common passwordspassword, 123456, qwertyInstant
L33t substitutionsP@ssw0rd, $ecure!Seconds
Keyboard patternsqwerty, 1qaz2wsx, qweasdSeconds
Word + year + symbolSummer2024!, Hello123@Minutes–hours
Repeated charactersaaaa1234, aaaaabbbSeconds
Birth dates, namesjohn1990, Mary1985!Minutes

The "Have I Been Pwned" Integration

NIST's 2024 password guidelines recommend checking new passwords against known breached password databases. The Have I Been Pwned (HIBP) Passwords API allows checking if a password has appeared in any known data breach β€” without ever sending the actual password to the server (using a k-Anonymity model where only the first 5 characters of the SHA-1 hash are sent).

Passwords that have appeared in breaches should always be rejected, regardless of how strong they appear by other metrics β€” they are already in attacker dictionaries.

Try It Yourself! ✨

Use our free Password Strength Checker — results appear as you type. No sign-up needed!

🚀 Open Password Strength Checker Free

❓ Frequently Asked Questions

How do password strength checkers work?
Basic checkers score based on length and character types (uppercase, lowercase, numbers, symbols). Advanced checkers like zxcvbn simulate real attack patterns β€” checking against breach databases, detecting keyboard walks (qwerty), l33t substitutions (p@ssword), dictionary words, dates, and repeated sequences. The best checkers provide estimated crack times rather than just a strength score.
What is the zxcvbn algorithm?
zxcvbn is Dropbox's open-source realistic password strength estimator. It evaluates passwords against the methods attackers actually use: dictionary attacks on 30,000+ common passwords, keyboard pattern detection, l33t substitution recognition, repeat/sequence detection, and date pattern matching. It outputs an estimated crack time for different attack scenarios rather than a simple 1–5 strength rating.
Why does "P@ssw0rd" score well on some checkers but is actually weak?
Naive checkers only verify character type diversity β€” uppercase, lowercase, number, symbol. P@ssw0rd passes all four. But "password" with predictable letter-to-symbol substitutions is one of the most common passwords in breach databases and appears in virtually every attacker dictionary. A realistic checker like zxcvbn recognizes the pattern and rates it as extremely weak.
What is the difference between online and offline password cracking?
Online cracking: attacking a live login page, limited to 10–1,000 guesses/second by rate limiting. Offline cracking: an attacker who obtained your hashed password from a database breach and runs a cracking program locally β€” billions of guesses/second with MD5 hashes, or thousands/second against bcrypt. The hash algorithm used to store your password determines how fast it can be cracked offline.
What makes a password genuinely strong?
Length is the dominant factor (each added character multiplies crack time). Genuine unpredictability (not a pattern that looks random but isn't). Uniqueness (never reused across sites). And ideally, checked against breach databases. A 16-character truly random password using letters, numbers, and symbols is far stronger than a 10-character "complex" password following common patterns.