Step-by-Step Formula: How Password Strength Is Calculated
Password strength is measured by entropy—the number of possible combinations an attacker must try. The formula is:
Entropy (bits) = password length × log₂(character set size)
A lowercase-only password uses a charset of 26. Add uppercase (52), digits (62), and symbols (95). Each additional character multiplies the total combinations exponentially. An 8-character lowercase password has 26⁸ = 208 billion combinations—cracked in seconds by modern GPUs doing 10 billion guesses/second.
The same 8 characters with all types: 95⁸ = 6.6 quadrillion combinations—still cracked in days. But bump to 16 characters: 95¹⁶ = 4.4 × 10³¹ combinations—taking trillions of years even at 10 billion guesses/second.
Real-World Example
Let's compare three passwords against a GPU cracking rig doing 10 billion guesses/second:
- "password" — Found in dictionary attack instantly. Zero security.
- "P@ssw0rd!" — Looks complex but is a common pattern. Cracked in minutes with rule-based attacks.
- "correct-horse-battery" — 22 characters, lowercase + hyphens. Entropy: ~103 bits. Would take ~300 billion years to brute-force.
Sample Calculation Table
| Length | Lowercase Only | Mixed Case + Digits | All Character Types |
|---|---|---|---|
| 6 chars | Instantly | 6 seconds | 1 minutes |
| 8 chars | 21 seconds | 6 hours | 8 days |
| 10 chars | 4 hours | 3 years | 190 years |
| 12 chars | 110 days | 10K years | 2M years |
| 14 chars | 205 years | 39M years | 1.5e+1 billion years |
| 16 chars | 138K years | 1.5e+2 billion years | 1.4e+5 billion years |
| 20 chars | 6.3e+1 billion years | 2.2e+9 billion years | 1.1e+13 billion years |
Common Mistakes
- Substituting letters with numbers. "p@ssw0rd" isn't clever—attackers' dictionaries include these substitutions. They add negligible security.
- Adding "1!" at the end. The most common "complexity" addition. Cracking tools try this pattern automatically.
- Using personal information. Pet names, birthdays, addresses, and kids' names are easily found on social media.
- Reusing passwords. When one site gets breached, attackers try your password on every other site. Use unique passwords everywhere.
- Prioritizing complexity over length. "Hx9!" (4 chars) is infinitely weaker than "mycatlikestoeatpizza" (20 chars). Length wins.
Frequently Asked Questions
What makes a strong password?
A strong password is at least 12 characters long, uses a mix of uppercase, lowercase, numbers, and special characters, and isn't based on dictionary words, personal info, or common patterns. Passphrases (random words strung together like "correct-horse-battery-staple") are both strong and memorable.
Is this tool safe to use?
Yes. This password checker runs entirely in your browser—your password is never sent to any server. All analysis happens locally in JavaScript. You can verify this by disconnecting from the internet and confirming it still works. We never store, transmit, or log passwords.
How long should my password be?
At minimum 12 characters, ideally 16+. Length is the single most important factor in password strength. A 16-character password with mixed character types would take billions of years to crack with current technology, while an 8-character password can be cracked in hours.
Should I use a password manager?
Absolutely. Password managers generate and store unique, strong passwords for every account. You only need to remember one master password. Leading options include Bitwarden (free, open-source), 1Password, and Dashlane. This eliminates password reuse, the #1 cause of account breaches.
How are passwords actually cracked?
Attackers use several methods: brute force (trying every combination), dictionary attacks (common words and passwords), credential stuffing (reusing leaked passwords from data breaches), and rainbow tables (precomputed hash lookups). Modern GPUs can test billions of passwords per second against leaked password hashes.
Is a longer password always better than a complex one?
Yes, generally. "correct-horse-battery-staple" (28 chars, all lowercase) is stronger than "P@s5w0rd!" (9 chars, complex). Each additional character multiplies the search space exponentially. A 20-character lowercase password has more entropy than a 10-character password with all character types.