A signup form asks for a password. The rules: at least eight characters, one uppercase, one number, one symbol. You type P@ssw0rd1. The little meter turns green. The form accepts it. The form is happy. The password cracker, if it ever gets a chance, is happier — that string is in every wordlist on earth and falls in under a second.
The form was checking the wrong thing. It checked whether your password obeyed an arbitrary set of rules. It didn't check whether anyone could guess it. Those are two completely different questions, and one of them is the one that actually matters.
Why character classes are the wrong metric
"Must contain one uppercase, one number, one symbol" rules exist for one reason: auditors and compliance frameworks like checkboxes, and the checkboxes are easy to verify with a regex. The rules don't make passwords stronger. They make them more predictable, because users respond to rules by picking obvious variants of obvious words.
Attackers know this. Every cracker worth the name knows the standard substitutions — a → @, o → 0, s → $, l → 1, e → 3 — and every cracker tries those variants automatically. Password! and P@ssw0rd! are not two different passwords as far as a wordlist attack is concerned. They are the same password with the substitutions applied. A character-class checker tells you the string meets policy. It doesn't tell you it's hard to guess.
Entropy — the actual measurement
Information entropy, measured in bits, is the honest metric. It's the number of guesses an attacker would need to find your password, expressed as a power of two. 30 bits of entropy = about a billion guesses = a few hours on a single GPU. 60 bits = a quintillion guesses = safe against most real attackers. 122 bits = roughly the number of atoms in your body = safe forever against current hardware.
The math, if you actually generated the password randomly: an 8-character password drawn uniformly from the 95 printable ASCII characters has 958 = 6.6 trillion possible values, which is about 52 bits of entropy. That's a strong password — if the choice was actually random. Almost nobody picks passwords uniformly at random, which is the entire problem.
zxcvbn — how the checker on this site works
Dropbox open-sourced a library called zxcvbn in 2012. Rather than counting characters, it estimates how many guesses it would take a smart cracker to find your password. It does this by looking for patterns: dictionary words in 30+ languages, the common substitutions, keyboard walks (qwerty, asdf, 1qaz2wsx), dates, repeated characters, and ascending or descending sequences.
Each pattern collapses a chunk of the password into a much smaller search space. For P@ssw0rd!, zxcvbn sees: a common dictionary word, standard substitutions, a common suffix. Sixteen character classes by the regex-checker's count; about ten bits of actual entropy by zxcvbn's. Crack time on a modern GPU with a fast hash: well under a second.
Common patterns that fool character-class checks
The patterns zxcvbn flags are the patterns real users reach for under pressure:
- Substitution.
a → 4,e → 3,o → 0,s → $. Every variant of every common word is in the attackers' dictionary. - Dates. Birthdays, anniversaries, the year you graduated.
19xxand20xxare tiny number spaces — a thousand possibilities each. - Keyboard walks.
qwerty,asdf,zxcv,1qaz2wsx. Visually random, computationally trivial — every cracker has the keyboard layout baked in. - Common appended characters.
1!,123!,2024!,$$$. The suffix doesn't help if every attacker tries it. - Names. Your name, your kid's name, your dog's name. If it's findable on Facebook, it's findable to an attacker. Targeted attacks scrape exactly this kind of data.
Real-world attack speed
The crack-time numbers depend almost entirely on the hashing algorithm the service used. Order of magnitude, on a single RTX 4090 in 2026:
- Plain MD5: ~100 billion guesses per second. An 8-character lowercase password falls in about half a minute.
- SHA-256, unsalted: ~10 billion per second.
- bcrypt at cost factor 12: ~50 per second. The same 8-character password would take centuries.
- Argon2 at sensible parameters: ~10 per second. Effectively unattackable for any remotely random password.
The hash function the service uses matters more than your password complexity. You don't get to choose the hash; you only get to choose the password. So treat the checker's number as a worst case — what an attacker could do if they got a fast-hash dump from the database. If the service used bcrypt or Argon2, divide accordingly.
Passphrases — why three random words beat eight random characters
The XKCD comic that everyone has linked at least once — "correct horse battery staple" — is right. A four-word passphrase drawn from a wordlist of 7,776 entries (the Diceware list) gives you log2(77764) ≈ 51 bits of entropy. Four words. Easy to type, easy to remember, slightly hard to mistype.
Compare that to a typical user-chosen eight character "complex" password, which usually carries about 25 bits of effective entropy once zxcvbn finds the patterns. The passphrase is millions of times harder to guess and far easier to actually live with. The catch is the words have to be chosen randomly — picking three favourite nouns yourself does not work, because your three favourite nouns are correlated with everyone else's three favourite nouns.
What a good password manager changes
If a password manager is generating and storing your passwords, the question of memorability stops mattering. A 20-character random string from the manager's generator carries about 130 bits of entropy — well past "safe forever" — and you never have to type it. The work shifts to one job: protecting the master password that unlocks the manager.
Which is where the passphrase advice comes back. The master password is the one you'll type by hand, the one you have to remember, and the one that needs to be both strong and livable. Pick a Diceware-style passphrase of five or six random words. The crack time, even against a fast hash, is decades.
When to use the password-strength-checker tool here
The password-strength checker on this site runs zxcvbn locally in your browser. The password never touches the network. Useful for sanity-checking a new password before you commit to it, for talking a friend out of Password123!, or for checking that your passphrase isn't accidentally weak because the three words you picked happen to be three of the most common English nouns.
Related reading
The UUID generator is a different problem with the same general territory — both come down to producing values an attacker can't guess. The UUID versions guide covers when machine-generated random values are the right answer (almost always, for tokens and IDs) and when something deterministic is what you actually want.