Question 1

How does this password strength meter calculate strength?

Accepted Answer

We use a hybrid model. First, raw Shannon entropy: length × log₂(charset size). Then we apply penalties for detected weakness patterns — keyboard sequences, sequential characters, repeated runs, leet-substituted dictionary words, and trailing year suffixes. The penalized entropy maps to a 0–4 score that matches zxcvbn's industry-standard buckets, and the bit count drives crack-time estimates at four realistic attack speeds.

Question 2

Is my password sent to any server, ever?

Accepted Answer

No. The entire analysis — pattern detection, entropy math, breach-corpus lookup, and crack-time calculation — runs in your browser via JavaScript. We make no HTTP requests, no HIBP API calls, no analytics pings tied to your input. This is the only safe way to evaluate a real, in-use password online.

Question 3

What does the 0–4 score actually mean?

Accepted Answer

0 = Risky (crackable instantly, in a breach corpus). 1 = Weak (minutes on a GPU). 2 = Fair (resists casual attacks, falls to targeted offline cracking). 3 = Strong (comfortably safe for most user accounts). 4 = Excellent (safe even for high-value admin or master passwords). The scale matches the original zxcvbn score used by Dropbox, AWS, and many others.

Question 4

What is a "breach corpus" and why does it matter?

Accepted Answer

A breach corpus is a public list of passwords that have appeared in real-world data leaks (RockYou, LinkedIn, Adobe, etc.). Attackers try these passwords first because billions of accounts use them. Even a 12-character "strong-looking" password fails instantly if it appears on the list. We check against the ~120 most common entries; for production-grade checks, fold in the HaveIBeenPwned range API on your server.

Question 5

How accurate are the crack-time estimates?

Accepted Answer

They're order-of-magnitude estimates, which is what matters. We model four realistic attack speeds: online throttled (100 attempts/hour — typical web form), online unthrottled (10/s — broken rate-limiting), offline slow hash (10⁴/s — properly bcrypted database leak), and offline fast hash (10¹⁰/s — SHA-1 on a modern GPU). If your password takes 100 years at the fast-hash speed, that's a meaningful safety margin; if it takes 30 seconds, that's a problem regardless of the exact number.

Question 6

Why does "P@ssw0rd!" score so low despite being 9 chars with all four character classes?

Accepted Answer

The leet-substitution detector recognizes that `P@ssw0rd` undoes to `password` — a top-5 breach-corpus entry. Adding a trailing `!` does not meaningfully increase entropy because attackers use rule-based dictionaries (e.g. hashcat's d3ad0ne ruleset) that try every common substitution and suffix automatically. A truly strong password resists rule-based attacks, not just brute force.

Question 7

What should I do if my password scores 3 or below?

Accepted Answer

Use a random, unique password from a password manager. Our Password Generator creates strong passphrases instantly — 16+ characters with mixed charset. Then store them in a manager (1Password, Bitwarden, KeePass) so you never have to remember them. Length is the single biggest lever: every additional random character roughly doubles the search space.

Question 8

How long should a password actually be?

Accepted Answer

For general user accounts: 12+ random characters across all four classes (lowercase, uppercase, digits, symbols). For high-value accounts (admin, root, encryption keys, master passwords): 16–20+ random characters. For passphrases (Diceware style): 6+ random words. Length scales entropy linearly while complexity scales it logarithmically — adding one character beats adding one character class.

Question 9

Does this tool replace the HaveIBeenPwned (HIBP) API?

Accepted Answer

No. HIBP is the canonical "has this password been seen in a breach?" service and supports billions of entries via a privacy-preserving range-hash API. We use a tiny offline subset (~120 entries) precisely because the full HIBP corpus is too large to ship to a browser and querying it requires a network call — which we refuse to make. For production deployments, run HIBP server-side as a complement to entropy scoring.

Password Profile	Entropy (bits)	Offline GPU Crack Time
password	0 (in corpus)	instant
Summer2024!	~28	under 1 second (rule attack)
8 random lowercase	~37	~14 seconds
12 random mixed case + digits	~71	~80 years
16 random all-class	~104	heat death of the universe

Free Password Strength Meter: Real Entropy & Crack-Time

Real Shannon Entropy

Breach-Corpus Lookup

Four Attack Speeds

Strictly Offline

The Honest Password Strength Meter — No Theater, No Network Calls

How Long Does Each Class of Password Survive?

The Patterns Attackers Exploit (and We Detect)

A Production-Grade Password Hygiene Workflow

Related Security & Auth Utilities