Measure how likely your account gets compromised. Tune advanced factors for accuracy. Export results for audits and continuous improvement reports.
Sample rows show how control changes can shift risk scores.
| Profile | Password | MFA | Breach | Device hygiene | Monitoring | Typical score | Risk level |
|---|---|---|---|---|---|---|---|
| Hardened | 16+, unique | App/key | None | Patched + protected | Alerts on | 15–28 | Low |
| Everyday | 12, some reuse | SMS | Unknown | Mixed controls | Alerts on | 35–55 | Moderate |
| Exposed | 8–10, reused | None | Medium | Unpatched | No alerts | 70–90 | High/Critical |
Each factor produces a sub-score from 0 to 100 where higher means higher risk. The final score is a weighted average, normalized by total weight.
This calculator treats account compromise as a blend of credential, user, and device risks. Each factor is converted into a sub-risk from 0 to 100, then combined using normalized weights. A score near 0 suggests strong controls with low exposure. A score near 100 indicates weak controls and high attack surface.
Password strength is modeled through length and reuse patterns. Short passwords increase guessing feasibility, while reuse amplifies credential-stuffing success when any site is breached. In many incident reviews, reuse is the fastest path from one compromise to many accounts. Target 12–16+ characters and unique secrets.
MFA strength shifts risk substantially because it disrupts password-only takeover. App- or key-based MFA is scored as lower risk than SMS due to common SIM-swap and interception threats. If you are protecting privileged roles, prioritize phishing-resistant MFA and require step-up verification for sensitive actions.
Breach exposure reflects how often attackers can test known credentials or personal identifiers. Phishing susceptibility captures the likelihood of handing over credentials or approving push prompts. If either signal is “high,” remediation should include password rotation, improved awareness, and safer sign-in flows such as device-bound sessions.
Unpatched endpoints and weak malware defenses enable keylogging, cookie theft, and session hijacking. Monitoring reduces time-to-detect by surfacing unusual sign-ins quickly. Recovery security matters because attackers often reset access via email or phone. Use recovery codes, protect mailbox MFA, and review recovery contacts quarterly.
Export the breakdown to compare teams, roles, or account types. For example, privileged accounts should typically score below 30 with strong MFA and hardened endpoints. Track changes monthly: raising MFA strength, removing reuse, and enabling alerts often yields the fastest score reduction. Treat “Critical” as immediate action, and “High” as prioritized backlog work.
No. It is a normalized risk index for prioritization. Use it to compare accounts, track improvements, and decide where controls will reduce exposure fastest.
Reuse enables automated credential stuffing. If one service leaks your password, attackers can rapidly test it elsewhere, often succeeding without targeting you personally.
Prefer authenticator apps or hardware keys. SMS is better than none, but it can be bypassed through SIM-swap or phone-number attacks in many regions.
It represents uncertainty in credential history. If you cannot confirm exposure, assume moderate risk and reduce it by rotating passwords and enabling strong MFA.
Increase weights for the attack paths you observe most. For phishing-heavy environments, raise phishing and MFA weights. For device-heavy compromise, raise device hygiene and monitoring.
Aim for below 30 by using strong MFA, unique long passwords, secured recovery, patched endpoints, and always-on alerts. Lower targets may be appropriate for critical systems.
Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.