Password Strength Checker

Estimate how long it would take to crack your password using zxcvbn.

// status READY
// transport localhost · 0 bytes uploaded
// id 0x3568
password-strength-checker.sh 0x3568
# password-strength-checker.md

Why Your "Strong" Password Might Score Weak — What zxcvbn Actually Measures

Most password strength meters are naive: they count character classes (uppercase: check, digit: check, symbol: check) and output a colored bar. These meters are meaningless for security because they ignore how attackers actually work. A password like "P@ssw0rd1!" passes every naive meter but is cracked in seconds by any competent attacker using a dictionary with l33t-speak rules applied — which is a standard first pass in any offline crack.

This tool uses zxcvbn, the estimator open-sourced by Dropbox in 2012 and still the state of the art for client-side strength estimation. Rather than counting character classes, zxcvbn models attacker behavior:

  • It checks 30,000+ common passwords and 186,000 English words for exact matches and fuzzy matches.
  • It detects keyboard walk patterns: qwerty, asdfgh, 1qaz2wsx.
  • It identifies date patterns: jan2019, 19/07/1985, 0719.
  • It recognizes l33t-speak substitutions: @ for a, 3 for e, 0 for o.
  • It handles capitalization patterns: CamelCase, first-letter only, all-caps.

After identifying all detected patterns, zxcvbn models the attacker's optimal strategy — which combination of dictionary attacks, rule-based mutations, and brute force takes the fewest guesses — and reports the minimum number of guesses needed by a skilled attacker. The "estimated crack time" translates that guess count into calendar time at three attack speeds: online throttled, online unthrottled, and offline (GPU cluster with fast hash like MD5).

Reading the Score Correctly

The 0–4 score maps to attacker guess thresholds:

  • Score 0: < 1,000 guesses — cracked by anyone immediately.
  • Score 1: < 1,000,000 guesses — cracked in seconds offline.
  • Score 2: < 100,000,000 guesses — survives online attacks with throttling; falls to offline attacks in minutes.
  • Score 3: < 10,000,000,000 guesses — survives offline attacks against slow hash (bcrypt, Argon2) for years.
  • Score 4: ≥ 10,000,000,000 guesses — effectively impractical to crack offline with any current hardware.

The threshold for "actually secure" depends on what protects the hash. Against bcrypt (cost 10, ~10,000 hashes/second on a GPU), even score 2 provides decades of offline protection. Against MD5 (~10 billion hashes/second), you need score 4.

How to Use This Tool

  1. Type or paste a password into the input field.
  2. The score, estimated crack time at each attack speed, and weakness explanations appear instantly as you type.
  3. The feedback section identifies exactly which pattern weakened the score.

All evaluation runs in your browser. The password never leaves your device.

## man password-strength-checker

?> Why does "P@ssw0rd1!" score 0 when it has uppercase, lowercase, digits, and symbols?

Because zxcvbn recognizes "password" and its common l33t-speak variants as well-known patterns that attackers specifically target first. The substitutions (@ for a, 0 for o) add near-zero entropy because they are expected mutations of a top-10 password. Length is irrelevant here — the pattern is known.

?> My password scores 4. Does that mean it is uncrackable?

Score 4 means the estimated crack time exceeds the attacker's practical interest given current hardware. It does not account for future hardware improvements, cryptanalytic breaks in the hash function, or phishing (which bypasses password strength entirely). Score 4 is safe for today's threat model.

?> Is it safe to type my real password into a strength checker?

In this tool, yes — zxcvbn runs entirely in your browser with no network calls. As a general habit, avoid entering real passwords into any third-party website, because most online checkers do transmit the password to their server. Use browser developer tools (Network tab) to verify no requests fire as you type.

?> Why does adding more characters sometimes not increase the score?

zxcvbn scores based on the minimum guesses an attacker needs, not on raw length. If the extra characters form a recognizable pattern (adding "123" at the end, for example), zxcvbn models that as an expected mutation and does not award the full entropy of three genuinely random characters. Use the feedback panel to see exactly which patterns are limiting your score.