How this works
The strength score combines:
- Entropy — total bits of randomness, based on length and character pool size.
- Pattern penalties — common substitutions ("p@ssw0rd"), keyboard walks ("qwerty"), repeated chars, sequences.
- Common-password check — match against an embedded list of the 200 most-leaked passwords.
The crack-time estimates assume:
- Offline, fast: 100 billion guesses/second (modern GPU cluster on a stolen hash database).
- Online, throttled: 100 guesses/second (rate-limited login form).
Tips for strong passwords
- Use a password manager — 1Password, Bitwarden, or your browser's built-in.
- Length beats complexity. Four random words ("correct horse battery staple") beats "P@ss1!".
- Use a unique password per site — even strong passwords are useless if reused after a leak.
- Enable 2FA wherever possible.
Related tools