How to Check Password Strength: The Complete Security Guide

What Password Strength Actually Means

Password strength is a single number — how many guesses an attacker would need to find your password by brute force — expressed in bits of entropy. Every additional bit doubles the work. A password with 40 bits of entropy takes a trillion guesses; add 20 bits and it takes a quintillion. The difference between a weak password and a strong one isn't aesthetic. It's an exponential curve.

The Password Strength Checker reduces that math to a single readable score — Very Weak, Weak, Fair, Strong, or Excellent — and then backs it up with the raw entropy in bits, crack times for three attacker scenarios, a 10-point security checklist, and a list of weak patterns it detected. The point isn't to get a green bar. The point is to understand why a password scored the way it did so the next password you write is stronger on purpose, not by accident.

This guide covers what entropy actually measures, how the checker calculates it, why certain "complex" passwords score poorly, the three attacker models the crack-time estimates simulate, the length-versus-complexity debate (length wins), and how the output of the tool translates into real-world choices about what passwords to use and where.

The Entropy Math in One Paragraph

Entropy is calculated from two things: the size of the character pool and the length of the password. The pool size adds up every class of character used — 26 for lowercase letters, 26 for uppercase, 10 for digits, 33 for common symbols — so a password using all four classes has a pool of 95. The formula is: entropy = length × log2(poolSize). For Tr0ub4dor&3 (11 characters, all four classes), that's 11 × log2(95) ≈ 72 bits.

The pattern penalty is empirical, not cryptographic. The checker removes 8 bits of entropy per detected weakness (keyboard walks, sequential letters, repeated characters, common dictionary words, years). If the penalties would push entropy below zero, the tool floors it at 30% of the original — because even a cracked password still has some residual guess cost. The result is called effective entropy, and that's what drives the score and crack-time estimates.

The Five Score Tiers and Their Thresholds

The score tiers map directly to effective entropy bands. Each band corresponds to a realistic attacker scenario at which the password becomes infeasible to crack:

• Very Weak (< 28 bits): crackable in seconds on any modern hardware. Typical of 6-letter words, password123, or anything on a top-100 common passwords list.
• Weak (28–40 bits): crackable in hours to days. Short passwords with mixed characters, or longer passwords with dictionary words and predictable substitutions.
• Fair (40–60 bits): crackable in weeks to years by an offline attacker. Acceptable for low-stakes accounts but not for anything that matters.
• Strong (60–80 bits): decades to centuries of offline GPU work. The realistic floor for anything protecting money, identity, or sensitive data.
• Excellent (80+ bits): infeasible to crack with any foreseeable hardware. Reserved for root accounts, password manager master passwords, and crypto wallet keys.

The thresholds aren't arbitrary. 28 bits is roughly where a modern GPU cluster finishes brute-forcing in a few minutes. 60 bits is roughly where the work exceeds a year at 100 billion guesses per second. 80 bits is the NIST recommendation for long-term sensitive data. Landing one tier higher than you think you need is the right move — attackers get faster every year, and you're unlikely to rotate the password.

The Three Attacker Scenarios

Crack time depends entirely on how fast the attacker can make guesses. The tool shows three scenarios that bracket the real-world range:

Online throttled (100 guesses/sec). The attacker is hitting a login form that rate-limits requests. Most production login systems cap attempts at a few per minute and lock accounts after a threshold. This is the least dangerous attack and the least realistic for any password that might leak through a data breach.

Online unthrottled (10,000 guesses/sec). Either the system has no rate limiting, the attacker has spread attempts across many IP addresses, or the target is an API endpoint that doesn't lock accounts. This is common enough that you should assume it for any cloud service with poor security hygiene.

Offline fast (100 billion guesses/sec). The attacker has stolen a database of password hashes — via SQL injection, a cloud misconfiguration, a dump sold on a criminal forum — and is cracking them on their own hardware. This is the scenario that matters. If a password can't survive this model, it can't survive a breach, and breaches happen constantly.

The Six Patterns the Checker Flags

Pattern detection runs on a lowercase copy of the password and checks for six specific weaknesses. Each one triggers a warning in the UI and removes 8 bits of effective entropy. The patterns aren't arbitrary — they're the ones that make a password fall to dictionary and rule-based attacks long before brute force becomes necessary.

• Common passwords. The password matches an entry on a top-10K list (password, 123456, qwerty, letmein, iloveyou, etc.), or contains one as a substring. These are the first 10,000 guesses any attacker tries.
• Keyboard walks. Strings like qwerty, asdfgh, zxcvbn, qazwsx, or qwertyuiop that follow key positions rather than letter meaning. Every cracker tool generates these before random strings.
• Sequential letters. Runs like abc, bcd, cde through xyz. Fun to type, trivial to guess.
• Sequential numbers. 012, 123, 234 through 890. The most common "I added numbers to make it stronger" pattern.
• Repeated characters. Three or more of the same character in a row (aaa, !!!, 111). These add visible length but almost no entropy — an attacker who knows the length just iterates through each character class once per position.
• Years. Any 4-digit sequence starting with 19 or 20 (1985, 2024, 2026). Birth years, graduation years, and current years are the first modifications attackers try on dictionary words.

A password with zero detected patterns can still be weak if it's short or uses a small character pool. But a password with detected patterns is effectively weak even if it *looks* strong. P@ssw0rd2024 has 11 characters and four character classes — by naive entropy it's around 72 bits. By effective entropy, after penalties for a common word *and* a year *and* predictable substitution, it drops to around 20 bits. The checker is showing you the attacker's view, not the impressive-looking view.

Why Length Beats Complexity

The most important lesson in password security is counterintuitive: a long simple password is stronger than a short complex one. This contradicts the password advice most people grew up with — "at least one uppercase, one lowercase, one number, one symbol" — and it contradicts what many websites still enforce. It's still true.

Compare two passwords of roughly equal *difficulty to type*:

The passphrase has roughly 50 more bits of effective entropy — more than a trillion times harder to crack — despite using only lowercase letters. The math works because each additional character is another log2(poolSize) bits. Doubling length adds more bits than upgrading from lowercase to all-classes at the original length.

There's a practical wrinkle: not every system accepts 28-character passwords, spaces, or symbols. Some banks still cap passwords at 16 characters. Some enterprise systems forbid spaces. When you hit these constraints, use a password manager to generate the longest allowable random string, and save the mental effort of memorization for your password manager master password — which you'll type daily and should be a long passphrase.

The Ten-Point Security Checklist

Below the strength meter, the checker runs ten boolean checks against the password. These aren't weighted — they're a breakdown of the factors that feed into the entropy calculation, shown individually so you can see what's missing. A password can score Strong while failing two or three of these checks, and that's fine. The checks are diagnostics, not requirements.

• At least 12 characters. The floor for anything other than throwaway accounts. Below 12, even a mixed-class password falls to offline cracking in hours.
• Contains lowercase letter. Adds 26 to the character pool.
• Contains uppercase letter. Adds another 26, doubling the pool when paired with lowercase.
• Contains number. Adds 10. Cheapest way to grow the pool.
• Contains symbol. Adds 33 (the common keyboard symbols). Biggest single-class contribution, but typing-unfriendly and some systems reject certain symbols.
• No repeated characters (3+ in a row). Flags aaa, 111, !!!. Repeated characters are essentially free guesses for an attacker.
• No sequential letters. Flags abc, xyz, and neighbors. Attackers generate these before random strings.
• No sequential numbers. Flags 123, 789, etc. Same reason.
• Not on common password list. Matches against a subset of the top-10K common-passwords list. If this fails, nothing else matters — the password will fall in the first seconds of any attack.
• No year (19xx / 20xx). Any 4-digit sequence starting with 19 or 20. Birth years and current years are trivially added to dictionary attacks.

Treat the checklist as a punch-list for iteration. If three items fail, address the one that costs the least to fix — usually length. Going from 10 characters to 14 without changing anything else can flip the score from Fair to Strong because each added character multiplies the pool size exponent.

Master Passwords and the Passphrase Strategy

If you use a password manager, you have one password that matters more than all the others: the master password that unlocks the vault. This password can't live in a password manager (chicken and egg), has to be memorable enough to type daily, and has to survive the full offline-cracking scenario — because the vault file gets stolen and cracked at attacker leisure, not through a rate-limited login form.

The standard answer is the diceware passphrase: 5 to 7 random words from a large curated list, chosen by actual dice rolls or a cryptographically secure random number generator. A 6-word passphrase from the 7,776-word EFF list has log2(7776^6) ≈ 77 bits of entropy — safely in the Strong band, well before any case/punctuation modifications. Words chosen this way aren't predictable dictionary words in the cracking sense, because they're random draws from a uniform distribution.

The tool will score these Strong or Excellent without any added complexity. The only penalty applies if your "random" words form an existing phrase — don't use song lyrics, movie quotes, or Bible verses. The point of diceware is that the words are actually drawn from a random distribution, not that they look random.

For master passwords specifically, aim for 80+ bits of effective entropy in the checker. That's enough to survive decades of cracking improvements, which matters because a master password leak means every account you own leaks simultaneously. Everything else can be shorter and managed automatically.

Why This Tool Runs 100% in Your Browser

Typing a real password into a web form is a security risk. Most "password strength checker" sites transmit what you type to a server, log it, and in the worst case store it in a database that later leaks. Even sites that *claim* not to store passwords have to be trusted with something no one should trust anyone with.

The Password Strength Checker on UDT runs entirely in client-side JavaScript. The entropy calculation, pattern detection, and crack-time estimates all happen in the browser tab you're looking at. There is no network request when you type. You can verify this:

• Open browser DevTools (F12 on most browsers).
• Switch to the Network tab.
• Type a password into the tool.
• Observe that zero new requests appear during typing.
• As a stronger test: disconnect from the internet and reload the page — the tool still works, because the analysis code is already in the browser.

Common Mistakes the Checker Catches

The checker surfaces a handful of recurring anti-patterns that look like good passwords and aren't. Learning to recognize these saves the back-and-forth of typing, seeing a weak score, and guessing why.

The leetspeak shuffle. Substituting a→@, e→3, i→1, o→0, s→$ on a dictionary word adds almost no entropy. Cracking tools generate every leetspeak variant of every word in their dictionary as a standard rule. P@ssw0rd and password have roughly the same crack time.

The appended year. Spring2024, Smith1985, Company2026!. Year appending is the single most common pattern in corporate password policies, and it's the first rule attacker tools apply. The checker flags any 4-digit year and penalizes entropy accordingly.

The capitalized first letter + symbol at the end. Dragon!, Rainbow@, Thunder#. This is the exact pattern most humans default to when forced to include an uppercase letter and a symbol. Because it's the default, it's the first thing cracking tools try. A password with a random symbol in the middle scores meaningfully higher.

The keyboard walk disguised as complexity. 1qaz@WSX, !QAZxsw2, asdfASDF. Looks like eight chars across four classes. Is actually a pattern a cracker generates in the first few million guesses. The checker catches the common walks; newer or less common ones may slip through but are still weak for the same reason.

The reused password with a site suffix. mypassword-fb, mypassword-gm, mypassword-amz. If one site leaks, the rule is obvious and every other account falls. The checker can't detect this pattern (it has no context for your other passwords), but it's the single most common cause of credential-stuffing breaches. Use a password manager and generate unique passwords per site.

Target Scores for Real-World Accounts

Not every account needs a 20-character passphrase. Match the password strength to the consequences of losing the account:

• Throwaway / newsletter signups — Fair is fine. If these leak, the consequences are spam, not disaster. Better to use a password manager with a short random string than to memorize anything.
• Standard online accounts (social media, shopping, streaming) — Strong. These carry credit cards, identity info, and correspondence that matters.
• Financial accounts (bank, broker, crypto exchange, venmo/cashapp) — Strong minimum, Excellent preferred. The downside of a compromise is direct monetary loss.
• Email accounts — Excellent. Email is the root of trust for every other account via password resets. If an attacker controls your email, they control everything.
• Password manager master password — Excellent, 80+ bits. See the previous section. This is the one password that unlocks all the others.
• Work accounts with MFA — Strong is fine if MFA is on every login. MFA raises the floor dramatically. Without MFA, treat work accounts like financial accounts.

The reason these are ranges rather than absolute minimums: your defenses are layered. A Fair password behind MFA and behind a rate-limited login form and behind a service that uses Argon2 hashing is safer than an Excellent password protecting plain SHA-1 hashes with no other controls. The checker tells you one number. The number is part of the picture.

A Workflow for Using the Checker

The practical way to use a password strength checker isn't to type your actual passwords and see what score they get. It's to use the tool during password generation — test the shape of the password you're about to use, iterate on it until it scores where you want, and then commit to the final version in your password manager.

• Step 1. Decide the target tier. Financial account → Strong minimum. Email or master → Excellent. Everything else → Strong.
• Step 2. Pick a generation strategy. For master passwords, a diceware passphrase. For everything else, a password-manager-generated random string.
• Step 3. Type a similar password into the checker — not the one you'll actually use. Use the same length, same character classes, and any structural choices (separators, capitalization pattern).
• Step 4. Confirm the score hits your target. If not, go back to step 2 with a longer length.
• Step 5. Generate the real password in your password manager with the confirmed parameters. Paste into the account signup. Save to the manager. Never type the real password into the checker — you've already validated the shape.

This workflow treats the checker as a calibration tool, not a scoring tool. The actual password never leaves your password manager. You've measured the pattern's strength with a decoy password, and the real one inherits that strength by construction. This is the way.

Frequently Asked Questions