Naive charset formula (what meters print)
65.7 bits
L = 10 chars × log2(N = 95) = 65.7 bits. An upper bound: it only holds if every character was chosen at random.
The Verification Venue · entropy, not theater
A password's strength is its entropy: for a secret picked truly at random, H = L × log2(N) bits, where L is length and N is the character-set size. Adding a symbol or a capital buys you under two bits per character. Adding a whole character multiplies the keyspace. So four random words crush P@ssw0rd1!, and the difference is not opinion, it is arithmetic you can watch below.
Nothing you type is ever sent, stored, or logged. There is no server, no analytics on the box, no autocomplete, no save. Everything below (the wordlist, the crack rates, the maths) is bundled into this page and runs on your device.
To be safe, test a pattern like your real password, not the password itself. If yours is Rover2019!, try Fido2020!: same shape, tells you the same thing.
Network calls from this tool: 0 (a live self-audit, wired below)
The bench is a live cracker's-eye view. Type a pattern and it scores it two ways at once: the naive charset formula that every strength meter prints, and a rough realistic estimate that attacks it the way a real cracker does, with a wordlist and mangling rules. Then pick who is attacking and how the site stored your hash, and watch one string swing from "instantly" to "past the heat death of the universe."
GPU count only scales offline cracking. An online login stays rate-limited by the server no matter how many cards you rent.
Naive charset formula (what meters print)
65.7 bits
L = 10 chars × log2(N = 95) = 65.7 bits. An upper bound: it only holds if every character was chosen at random.
Rough realistic estimate (a cracker's view)
11 bits
A wordlist plus rules run recognises this as a mangled dictionary word.
Average time to crack, this attacker
under a second
the naive formula would promise 31 thousand years
Against offline bcrypt on one RTX 4090. Switch the attacker above and watch this number move by millions to one.
| string | online 1,000/s | bcrypt 184 kH/s |
SHA-256 22 GH/s | unsalted 164 GH/s |
|---|
Cells are average offline crack times at the current hardware setting. green > 10,000 years · amber 1 to 10,000 years · red < 1 year.
The override that beats every bit. Even a perfect 90-bit password cracks in zero seconds if it already leaked once. Toggle this and the whole grid turns red: credential stuffing does not crack, it replays.
Try it in three moves. One: the box starts on P@ssw0rd1!. The naive meter cheerfully reports about 66 bits while the realistic meter beside it collapses into the red. Two: press "Show me a strong one" for a four-word passphrase, then flip the attacker from bcrypt to unsalted MD5 and watch its crack time fall from centuries to hours. Three: drag the words slider from 4 to 6, watch every cell go green, then toggle "I reused this" and watch them all turn red at once.
H = L × log2(N) is the formula behind every password meter, and it is a genuine ceiling: the most bits a string of length L over an alphabet of N symbols could carry. But it reaches that ceiling on one condition, the one almost no human password satisfies: every character chosen uniformly at random. Choose password, bolt on a capital, swap a→@ and o→0, and end with 1!, and the formula still cheerfully reports about 66 bits. A real attacker does not see 66 bits. They see the single most common word in every leaked-password list, plus a mangling rule they wrote years ago, and their tool tries it in the first thousandth of a second. The bits were never there. That is why the bench scores your pattern twice: the naive ceiling, and a rough estimate of the bits that survive a wordlist attack. For P@ssw0rd1! the two numbers stand a chasm apart. For a genuinely random passphrase they do not, because random bits are the only bits a cracker cannot skip.
Now watch the other half. The four-word EFF passphrase is 51.7 bits, a real number: four words each pulled uniformly from a list of exactly 7,776 = 65 (five dice choose one word), so 4 × log2(7776) = 4 × 12.925 = 51.70. Against salted-slow bcrypt on one RTX 4090 that survives about 315 years. Against the same card cracking an unsalted MD5 hash it falls in about three hours. Same password, same keyspace of 77764 = 3.66 × 1015 combinations. The only thing that changed is a choice you never got to make: how the website stored your password. That six-orders-of-magnitude swing is why length alone is not a promise, and why EFF recommends six words (77.5 bits), not four.
Here is the humbling part, and the reason the toggle turns the whole grid red. For most people the dominant real-world compromise is not brute force at all. It is reuse. One breach of a weak-hash site hands attackers your plaintext, and then credential stuffing replays that exact string against your email, your bank, and everything else you own. A flawless 90-bit password that a GPU could never crack falls in zero seconds if it was already sitting in a breach dump somewhere else. Cracking is a keyspace race; reuse skips the race entirely. This is not a contested claim about percentages, it is a mechanism, and you can feel it above: no number of bits saves a password that has already leaked.
So, ranked by the lever you actually hold:
This is not a fringe opinion any more. NIST SP 800-63B-4 (published August 2025), the United States national standard, says verifiers SHALL require at least 15 characters for a single-factor password, SHOULD permit at least 64, SHALL NOT impose composition rules (no forced mixtures of character types), and SHALL NOT force periodic password changes. Length and randomness over symbol theater, as a matter of policy.
Nothing is stored and nothing is fetched. For the pattern in the box right now, the page recomputes the whole score from the same equations the offline verifier uses, live:
The offline gate recomputes all of it and exits 0 only if every number agrees: node research/how-long-to-crack-your-password/verify-how-long-to-crack-your-password.mjs.
Every free choice and its uncertainty. (1) The crack rates are a dated snapshot: hashcat v6.2.6 on one NVIDIA RTX 4090 (Chick3nman, Oct 2022), NTLM 288.5 GH/s, MD5 164.1 GH/s, SHA-256 22.0 GH/s, bcrypt mode 3200 at cost 5 (32 iterations) 184.0 kH/s. GPUs get faster, so treat these as a moment, not a law. (2) The bcrypt figure is cost 5; real sites often use higher cost, and higher cost means slower cracking, so 315 years is a floor for bcrypt, not a fixed value. (3) The online model uses xkcd-936's generous 1,000 guesses per second; real rate-limited logins do far less. (4) The realistic meter is a rough heuristic (dictionary, leet, keyboard-walk, date and random-word flags), not a real cracker: a pattern it rates "strong" could still be weak, so never treat it as a guarantee. (5) Average time = keyspace / (2 × rate); you may get unlucky and be found in the first half. (6) Four random words (51.7 bits) is safe against salted-slow hashing but only marginal against a fast unsalted hash if the attacker knows you used a four-word scheme, which is why the honest recommendation is six words.
Exactly true (the arithmetic). For a uniformly random secret, entropy is H = L × log2(N). The per-character values are exact: log2(26) = 4.700, log2(36) = 5.170, log2(62) = 5.954, log2(95) = 6.570. The EFF large list holds exactly 7,776 = 65 words, so each carries log2(7776) = 12.925 bits and the Diceware ladder is 38.77 / 51.70 / 64.62 / 77.55 bits for 3, 4, 5, 6 words. Keyspace is 2bits, and average crack time is that keyspace over twice the guess rate. All of this is reproduced by the offline verifier, and the "Show me a strong one" generator draws from the real 7,776-word EFF list with crypto.getRandomValues.
A rough estimate, clearly labelled (the realistic meter). The second number is a small heuristic scorer, in the spirit of tools like zxcvbn but far simpler. It finds the cheapest way to describe your pattern out of: common-password and dictionary words (with leet and capitalisation undone), keyboard walks, digit and year runs, and separators, then falls back to charset entropy for anything it cannot explain. It is deliberately conservative and it can be wrong in both directions. It exists to show the shape of the gap between the naive ceiling and a real attack, not to certify any specific password.
Named scope. Crack rates are a single dated hardware snapshot; the online rate is illustrative; the reuse panel demonstrates a mechanism (a leaked password is replayed, not cracked) rather than asserting a contested percentage of breaches; and no operational attack detail is given beyond the public common knowledge a strength meter needs.