Calculator inputs
Example data table
| Example password | Length | Pool | Entropy (bits) | Score | Notes |
|---|---|---|---|---|---|
| password123 | 11 | 36 | 56.9 | ~15 | Common word + sequence. |
| QwErTy!23 | 9 | 95 | 59.1 | ~35 | Keyboard pattern reduces effective space. |
| BlueCandle_River7 | 18 | 95 | 118.2 | ~92 | Long, mixed, low pattern signals. |
| Correct Horse Battery Staple | 28 | 27 | 134.2 | ~96 | Passphrase; spaces can help if allowed. |
| Aaaa!!!!1111 | 12 | 95 | 78.6 | ~40 | Repeats and chunks are easy to predict. |
| n9^V2!kPz#4mL@1s | 16 | 95 | 104.2 | ~88 | Random-looking with strong search space. |
Formula used
Base entropy (bits)
Entropy = L × log2(N)
- L = password length
- N = character pool size (estimated)
Effective entropy and crack time
EffectiveEntropy = Entropy + log2(PenaltyFactor)
Guesses ≈ 0.5 × 2^(EffectiveEntropy)
TimeSeconds = Guesses ÷ GuessesPerSecond
PenaltyFactor shrinks the space when common patterns appear (dictionary words, years, sequences, repeats, keyboard walks, or targeted assumptions).
How to use this calculator
- Enter a test password (avoid real account passwords).
- Select the likely attack scenario (online or offline).
- Choose the stored format to approximate cracking speed.
- Optionally override guesses per second for your environment.
- Enable targeted or personal-hint options if relevant.
- Click Calculate score to view results and exports.
Why guessability matters
Guessability is the practical likelihood that an attacker can reach your password within their budget of guesses. A strong score helps reduce account takeover risk after credential stuffing, phishing follow‑ups, or leaked hashes. Even “complex” passwords fail quickly when they match common words, keyboard walks, or predictable chunks. Because attackers try the most likely candidates first, reducing predictability often matters more than adding one extra symbol for everyone.
Entropy and search space
The calculator starts with an estimated character pool and converts length into bits of entropy. Entropy is logarithmic: 10 extra bits means about 1,024× more possibilities. Each extra character multiplies possibilities, so length usually dominates. Moving from 10 to 14 characters can add roughly 40% more entropy under the same pool. Passphrases also work because they increase length while staying memorable and typable on mobile keyboards.
Patterns that shrink resistance
Attackers do not guess randomly. They prioritize dictionaries, leaked password lists, common substitutions, repeats, and sequences such as “1234” or “abcd”. Keyboard patterns like “qwerty” appear frequently in breach corpuses. The tool applies a penalty factor when these signals appear, reducing effective entropy to reflect that real cracking follows probability, not uniform chance. A targeted attacker can exploit hobbies, teams, cities, and pet names, further narrowing the space early in the guessing order and improving hit rates for attackers.
Attack speed assumptions
Online attempts are limited by rate‑limits and lockouts, often near 10–1,000 guesses per second. Offline cracking can be billions of guesses per second for fast hashes, but far less for modern slow hashes. Selecting the stored format approximates this gap: a slow hash can reduce the guess rate by orders of magnitude, which stretches cracking time dramatically. The report uses median effort (about half the keyspace) to avoid overly optimistic “best case” times.
Improvement strategy
Use unique passwords per site, then increase length first. Remove names, dates, and predictable suffixes, and avoid recycling a base word with small variations. Prefer a password manager for truly random strings, or use a long passphrase of unrelated words. If you must meet composition rules, add randomness in the middle, not only at the end. Combine this with multi‑factor authentication, breach monitoring, and safe recovery options to reduce overall impact.
FAQs
Does this tool store my password?
No. The password is processed only for scoring on this page. It is not saved to a database, and no history is kept unless you add logging yourself.
Why can a “complex” password still score poorly?
Complexity does not help if the password is common or predictable. Dictionary words, keyboard patterns, repeats, and short lengths are guessed early, reducing effective entropy and increasing guessability.
What does “guesses per second” represent?
It estimates how fast an attacker can try candidates. Online attacks are slow due to throttling, while offline cracking can be extremely fast for weak hashes and slower for modern, memory‑hard hashes.
What score should I aim for?
As a practical target, aim for 75+ with a unique password per account. For high‑value accounts, prefer 85+ and enable multi‑factor authentication to reduce takeover risk further.
Are passphrases better than random strings?
Both can be strong. Random strings maximize entropy, but long passphrases are easier to remember and type. The key is length, uniqueness, and avoiding predictable phrases or quotes.
Why is crack time shown as an estimate?
Real cracking depends on attacker hardware, hash settings, and smart guessing strategies. The calculator uses reasonable defaults and median effort, but results should be treated as directional guidance, not a guarantee.