How to Check Password Strength: What the Meters Actually Measure

What password strength meters actually measure

Most simple password meters count which character types are present (uppercase, lowercase, numbers, symbols) and apply a score based on length. The problem: Password1! scores well on these meters despite being one of the most commonly used passwords in the world.

Better meters (like the zxcvbn library, used by Dropbox and many security tools) use pattern matching against a database of common passwords, dictionary words, keyboard patterns (qwerty, 123456), and known substitutions (p@ssw0rd). These give a much more accurate picture of real-world crackability.

The free password generator and checker shows you entropy (in bits) and estimated crack time — the two most meaningful metrics.

The entropy metric

Entropy measures how much randomness (unpredictability) a password contains, in bits. Higher entropy means more possible passwords an attacker must try to crack yours by brute force.

Rough formula: entropy = log₂(character_set_size) × password_length

These are theoretical maximums assuming the password is truly random. Passwords with words, names, dates, or predictable patterns have much lower effective entropy — regardless of what character types they contain.

Crack time estimates

Modern GPUs can attempt billions of password hashes per second. Crack time estimates depend heavily on what hashing algorithm protects the password:

A 6-character alphanumeric password cracked with MD5 takes seconds. The same password protected by bcrypt might take hours. The right answer is: use a strong random password AND assume good hashing. Don't rely on the site to protect you.

The passphrase alternative

NIST (National Institute of Standards and Technology) guidelines now recommend length over complexity. A passphrase — a sequence of random words — can be more secure and far more memorable than a complex 8-character password.

• correct-horse-battery-staple — 28 characters, 4 random words — approximately 44 bits of entropy from a 2,000-word dictionary
• P@ssw0rd1! — 10 characters, looks complex — but it's in every password cracking dictionary

For human-memorable passwords, passphrases win. For passwords stored in a password manager (which you should be using), a fully random 16–20 character string with all character types is strongest.

What actually makes a password weak (real-world risks)

• Reuse. The biggest real-world password risk is not brute force — it's credential stuffing. If one site is breached and your password is exposed, attackers try that same email+password combination on every major service. Use a unique password for every site.
• Dictionary words and names. Attackers run dictionary attacks first — full lists of common words, names, places, and known leaked passwords. A password from a dictionary is cracked in seconds regardless of length.
• Predictable substitutions. Replacing 'a' with '@' and 'o' with '0' is in every cracker's substitution table. 'p@ssw0rd' is treated the same as 'password' by modern crackers.
• Short passwords. Under 12 characters, even fully random passwords face real brute-force risk against fast algorithms. 16+ characters is the current practical minimum for important accounts.

Generating strong passwords

The free password generatorcreates cryptographically random passwords at any length. For important accounts (email, banking, password manager master password), use 20+ characters with all character types. Store them in a password manager — no one can remember 20-character random strings, and they shouldn't try.

Related tools

• Free Password Generator — generate cryptographically random passwords and check strength

Written by Achraf A., founder of TheFreeAITools.