Password Strength Tester
Test password strength with crack time estimate and improvement tips.
How Password Cracking Works
Attackers use several methods to crack passwords. Brute force tries every possible combination — effective against short passwords but impractical against long ones. Dictionary attacks try common words and phrases. Rainbow table attacks use precomputed hash lookups. Credential stuffing uses passwords leaked from other breaches. Modern GPUs can test billions of password hashes per second, making weak passwords trivially crackable.
Password Entropy
Entropy measures password randomness in bits. Higher entropy = harder to crack. A password with N bits of entropy requires 2^N guesses in the worst case. A 40-bit password can be cracked in seconds; an 80-bit password would take thousands of years. Entropy depends on both the character set size and password length: Entropy = Length × log2(CharacterSetSize). This is why length matters more than complexity.
How Websites Should Store Passwords
Responsible websites never store passwords in plain text. They use adaptive hashing algorithms like bcrypt, Argon2, or PBKDF2, which are intentionally slow to make brute force attacks expensive. Each password is combined with a unique random salt before hashing, preventing rainbow table attacks. When you log in, the site hashes your input and compares it to the stored hash — they never need to see your actual password.
NIST Password Guidelines
The National Institute of Standards and Technology (NIST) updated its password guidelines to prioritize length over complexity. Key recommendations: minimum 8 characters (12+ preferred), no forced complexity requirements (like requiring symbols), no mandatory password rotation, screening against common/breached passwords, and supporting passwords up to 64+ characters. These guidelines reflect modern understanding that complexity rules lead to predictable patterns like "P@ssw0rd!".
What to Do If Breached
If your password appears in a breach: change it immediately on that site and any site where you used the same password. Enable multi-factor authentication. Check haveibeenpwned.com to see if your email appears in known breaches. Consider using a password manager to generate and store unique passwords for every account. Monitor your accounts for suspicious activity and consider placing a fraud alert on your credit reports.