The Verification Venue · entropy, not theater

Four Random Words Beat a Fistful of Symbols

A password's strength is its entropy: for a secret picked truly at random, H = L × log2(N) bits, where L is length and N is the character-set size. Adding a symbol or a capital buys you under two bits per character. Adding a whole character multiplies the keyspace. So four random words crush P@ssw0rd1!, and the difference is not opinion, it is arithmetic you can watch below.

This runs 100% in your browser

Nothing you type is ever sent, stored, or logged. There is no server, no analytics on the box, no autocomplete, no save. Everything below (the wordlist, the crack rates, the maths) is bundled into this page and runs on your device.

To be safe, test a pattern like your real password, not the password itself. If yours is Rover2019!, try Fido2020!: same shape, tells you the same thing.

Network calls from this tool: 0 (a live self-audit, wired below)

The bench is a live cracker's-eye view. Type a pattern and it scores it two ways at once: the naive charset formula that every strength meter prints, and a rough realistic estimate that attacks it the way a real cracker does, with a wordlist and mangling rules. Then pick who is attacking and how the site stored your hash, and watch one string swing from "instantly" to "past the heat death of the universe."

51.7 bits
Press the button for a fresh EFF Diceware passphrase, generated on your device with crypto.getRandomValues.
Who is attacking, and how was it hashed?
How much hardware?

GPU count only scales offline cracking. An online login stays rate-limited by the server no matter how many cards you rent.

Naive charset formula (what meters print)

65.7 bits

L = 10 chars × log2(N = 95) = 65.7 bits. An upper bound: it only holds if every character was chosen at random.

Rough realistic estimate (a cracker's view)

11 bits

A wordlist plus rules run recognises this as a mangled dictionary word.

Average time to crack, this attacker

under a second

the naive formula would promise 31 thousand years

Against offline bcrypt on one RTX 4090. Switch the attacker above and watch this number move by millions to one.

Three reference strings, every attacker at once
string online
1,000/s
bcrypt
184 kH/s
SHA-256
22 GH/s
unsalted
164 GH/s

Cells are average offline crack times at the current hardware setting. green > 10,000 years · amber 1 to 10,000 years · red < 1 year.

The override that beats every bit. Even a perfect 90-bit password cracks in zero seconds if it already leaked once. Toggle this and the whole grid turns red: credential stuffing does not crack, it replays.

Try it in three moves. One: the box starts on P@ssw0rd1!. The naive meter cheerfully reports about 66 bits while the realistic meter beside it collapses into the red. Two: press "Show me a strong one" for a four-word passphrase, then flip the attacker from bcrypt to unsalted MD5 and watch its crack time fall from centuries to hours. Three: drag the words slider from 4 to 6, watch every cell go green, then toggle "I reused this" and watch them all turn red at once.

The ruler everyone prints is an upper bound

Entropy only counts if you actually rolled the dice

H = L × log2(N) is the formula behind every password meter, and it is a genuine ceiling: the most bits a string of length L over an alphabet of N symbols could carry. But it reaches that ceiling on one condition, the one almost no human password satisfies: every character chosen uniformly at random. Choose password, bolt on a capital, swap a→@ and o→0, and end with 1!, and the formula still cheerfully reports about 66 bits. A real attacker does not see 66 bits. They see the single most common word in every leaked-password list, plus a mangling rule they wrote years ago, and their tool tries it in the first thousandth of a second. The bits were never there. That is why the bench scores your pattern twice: the naive ceiling, and a rough estimate of the bits that survive a wordlist attack. For P@ssw0rd1! the two numbers stand a chasm apart. For a genuinely random passphrase they do not, because random bits are the only bits a cracker cannot skip.

Now watch the other half. The four-word EFF passphrase is 51.7 bits, a real number: four words each pulled uniformly from a list of exactly 7,776 = 65 (five dice choose one word), so 4 × log2(7776) = 4 × 12.925 = 51.70. Against salted-slow bcrypt on one RTX 4090 that survives about 315 years. Against the same card cracking an unsalted MD5 hash it falls in about three hours. Same password, same keyspace of 77764 = 3.66 × 1015 combinations. The only thing that changed is a choice you never got to make: how the website stored your password. That six-orders-of-magnitude swing is why length alone is not a promise, and why EFF recommends six words (77.5 bits), not four.

The threat that actually takes over accounts

The war is reuse, not brute force

Here is the humbling part, and the reason the toggle turns the whole grid red. For most people the dominant real-world compromise is not brute force at all. It is reuse. One breach of a weak-hash site hands attackers your plaintext, and then credential stuffing replays that exact string against your email, your bank, and everything else you own. A flawless 90-bit password that a GPU could never crack falls in zero seconds if it was already sitting in a breach dump somewhere else. Cracking is a keyspace race; reuse skips the race entirely. This is not a contested claim about percentages, it is a mechanism, and you can feel it above: no number of bits saves a password that has already leaked.

So, ranked by the lever you actually hold:

  1. Never reuse. Use a password manager with a unique random secret per site. This is the one that beats every attacker in the grid, because it makes a leak somewhere else stay somewhere else.
  2. Prefer length from genuine randomness over symbol-sprinkling: a six-word Diceware passphrase, or 15-plus random characters. The bits from real randomness are the only bits that survive a wordlist.
  3. Know that the site's hashing choice matters as much as your password, and you cannot control it. Which is exactly why a manager plus unique passwords is the lever you do hold: it caps the damage when their bcrypt turns out to be MD5.

This is not a fringe opinion any more. NIST SP 800-63B-4 (published August 2025), the United States national standard, says verifiers SHALL require at least 15 characters for a single-factor password, SHOULD permit at least 64, SHALL NOT impose composition rules (no forced mixtures of character types), and SHALL NOT force periodic password changes. Length and randomness over symbol theater, as a matter of policy.

The check: every number recomputed in front of you

Nothing is stored and nothing is fetched. For the pattern in the box right now, the page recomputes the whole score from the same equations the offline verifier uses, live:

The offline gate recomputes all of it and exits 0 only if every number agrees: node research/how-long-to-crack-your-password/verify-how-long-to-crack-your-password.mjs.

Every free choice and its uncertainty. (1) The crack rates are a dated snapshot: hashcat v6.2.6 on one NVIDIA RTX 4090 (Chick3nman, Oct 2022), NTLM 288.5 GH/s, MD5 164.1 GH/s, SHA-256 22.0 GH/s, bcrypt mode 3200 at cost 5 (32 iterations) 184.0 kH/s. GPUs get faster, so treat these as a moment, not a law. (2) The bcrypt figure is cost 5; real sites often use higher cost, and higher cost means slower cracking, so 315 years is a floor for bcrypt, not a fixed value. (3) The online model uses xkcd-936's generous 1,000 guesses per second; real rate-limited logins do far less. (4) The realistic meter is a rough heuristic (dictionary, leet, keyboard-walk, date and random-word flags), not a real cracker: a pattern it rates "strong" could still be weak, so never treat it as a guarantee. (5) Average time = keyspace / (2 × rate); you may get unlucky and be found in the first half. (6) Four random words (51.7 bits) is safe against salted-slow hashing but only marginal against a fast unsalted hash if the attacker knows you used a four-word scheme, which is why the honest recommendation is six words.

What is exactly true here, and what is a rough estimate

Exactly true (the arithmetic). For a uniformly random secret, entropy is H = L × log2(N). The per-character values are exact: log2(26) = 4.700, log2(36) = 5.170, log2(62) = 5.954, log2(95) = 6.570. The EFF large list holds exactly 7,776 = 65 words, so each carries log2(7776) = 12.925 bits and the Diceware ladder is 38.77 / 51.70 / 64.62 / 77.55 bits for 3, 4, 5, 6 words. Keyspace is 2bits, and average crack time is that keyspace over twice the guess rate. All of this is reproduced by the offline verifier, and the "Show me a strong one" generator draws from the real 7,776-word EFF list with crypto.getRandomValues.

A rough estimate, clearly labelled (the realistic meter). The second number is a small heuristic scorer, in the spirit of tools like zxcvbn but far simpler. It finds the cheapest way to describe your pattern out of: common-password and dictionary words (with leet and capitalisation undone), keyboard walks, digit and year runs, and separators, then falls back to charset entropy for anything it cannot explain. It is deliberately conservative and it can be wrong in both directions. It exists to show the shape of the gap between the naive ceiling and a real attack, not to certify any specific password.

Named scope. Crack rates are a single dated hardware snapshot; the online rate is illustrative; the reuse panel demonstrates a mechanism (a leaked password is replayed, not cracked) rather than asserting a contested percentage of breaches; and no operational attack detail is given beyond the public common knowledge a strength meter needs.