How Password Strength Checkers Work — Entropy, Crack Time, and the Scoring Algorithm
- Password strength is calculated using entropy — the number of possible combinations given length and character set.
- Crack time assumes an attacker trying 10 billion guesses per second (high-end GPU attack).
- Common patterns like "123" and "qwerty" reduce effective entropy even in long passwords.
- The score reflects raw mathematical strength — not whether the password appears in a breach list.
Table of Contents
Type a password into any strength checker and you get a score — Very Weak, Fair, Strong, Very Strong. But what is the algorithm actually measuring? The answer involves entropy, character sets, pattern penalties, and a specific attack model. Understanding the math helps you make better passwords, not just better-scoring ones.
What Is Password Entropy and Why Does It Matter?
Entropy is the foundation of every password strength calculation. It measures the number of possible combinations for a password of a given length using a given character set.
The formula is: Entropy (bits) = log2(character set size ^ password length)
In practice:
- Digits only (0-9): 10 possible characters per position
- Lowercase letters: 26 possible characters per position
- Mixed case + digits: 62 possible characters per position
- Mixed case + digits + symbols: 95 possible characters per position
A 12-character password using all character types: log2(95^12) = approximately 78.9 bits of entropy. That represents about 400 quadrillion possible combinations — which is why length and character variety are the two most important factors in any strength score.
How Crack Time Estimates Are Calculated
Crack time translates entropy into something intuitive: how long would it take an attacker to guess this password by brute force?
Most checkers assume a high-end GPU cracking rig attempting approximately 10 billion guesses per second. This is realistic for offline attacks — when an attacker has stolen a password hash database and is cracking it locally with dedicated hardware.
At 10 billion guesses per second:
- 6-character all-lowercase: 0.004 seconds
- 8-character mixed case + digits: about 7 minutes
- 12-character full character set: thousands of years
- 20-character full character set: billions of years
The crack time displayed by our checker uses this 10B/sec model. For online attacks (guessing through a login form), the number would be far longer because servers rate-limit attempts. The displayed time represents the worst-case scenario — an offline attack on a stolen hash.
Sell Custom Apparel — We Handle Printing & Free ShippingPattern Detection: When Length Is Not Enough
Raw entropy assumes every character is chosen randomly. Real passwords rarely are. Strength checkers apply penalties when they detect patterns that reduce effective entropy:
- Sequential characters: "123456" or "abcdef" — the entropy is much lower than six random characters because an attacker can generate these sequences in order
- Keyboard walks: "qwerty," "asdfgh" — common enough that they appear in every attack dictionary
- Common words: "password," "dragon," "admin" — found in every wordlist used in dictionary attacks
- Repeated characters: "aaaa" or "1111" — dramatically shrinks the effective character space
- Leet substitutions: "p@ssw0rd" — well-known substitutions are added to attack dictionaries and do not significantly increase security
A 10-character password made entirely of "1234512345" is mathematically longer than "Hi!8" but scores much lower because the repeating pattern reduces the effective character space to near zero.
What Password Strength Scores Do Not Measure
Strength checkers measure mathematical difficulty, not real-world security. Several important factors fall outside the score:
- Breach database exposure: A genuinely random 12-character password could appear in a breach list if you have used it before. Strength scores do not check whether a password has been compromised. For that, use a tool like Have I Been Pwned.
- Reuse risk: A "Very Strong" password used across 20 accounts is still a single point of failure. One breach of any of those 20 services exposes all of them.
- Phishing resistance: No password strength score tells you anything about whether you will be tricked into typing it into a fake login page.
- Storage quality: A strong password stored in a weak hash (MD5) is trivially crackable by modern attackers with the hash file.
Strength scores are a useful proxy for brute-force resistance. They are not a complete security picture.
How the WildandFree Password Checker Scores Your Password
Our checker evaluates eight specific criteria and gives you a detailed checklist alongside the overall score:
- At least 8 characters
- At least 12 characters (bonus for additional length)
- Contains uppercase letters
- Contains lowercase letters
- Contains numbers
- Contains special characters
- No common patterns (123, abc, qwerty)
- No repeated character sequences (aaa, 111)
The strength label (Very Weak through Very Strong) combines the checklist results with an entropy calculation. Crack time is displayed separately and assumes the 10B/sec offline attack model. The tips section fires when specific criteria fail, telling you exactly what to change rather than just showing a red bar.
Everything runs in your browser — the algorithm is the same whether you check one password or fifty.
See the Algorithm in Action — Check Your Password Now
Enter any password to see its entropy score, crack time estimate, and exactly which criteria it passes or fails. Runs entirely in your browser.
Open Password Strength CheckerFrequently Asked Questions
What is a good entropy score for a password?
Security experts generally recommend at least 50-60 bits for everyday accounts and 80+ bits for high-value accounts. A 12-character password using uppercase, lowercase, numbers, and symbols achieves roughly 78 bits. A 20-character version of the same hits around 130 bits.
Why does "correcthorsebatterystaple" score higher than "Tr0ub4dor&3"?
The four random words are longer (28 characters vs 11) and achieve higher entropy despite using only lowercase letters and spaces. Length contributes more to entropy than character variety, especially once you exceed 20+ characters. This is the core insight from the XKCD comic on password strength.
Does a higher strength score mean the password is safe to use?
It means it is harder to brute-force. A high-scoring password can still be compromised if it has appeared in a breach database, is phished out of you, or is reused across multiple accounts. Strength score is one dimension of security, not all of it.
Can I trust the crack time estimates?
They are accurate for the assumed attack model: 10 billion guesses per second with offline brute force. Real-world attack speeds vary based on hardware and the hashing algorithm used to store the password. Against slower hashing algorithms (bcrypt, Argon2), crack times would be orders of magnitude longer.
