Check password strength & see how long it takes to crack
When you create a password, you're creating a key from a specific "search space" - the set of all possible passwords that can be created with your chosen character types and length. The size of this search space determines how long it would take an attacker to find your password by trying every possible combination.
Password strength is fundamentally about search space size. Every character you add to your password and every type of character you include (lowercase, uppercase, numbers, symbols) exponentially increases the number of possible combinations an attacker must try.
When we say a password has "218 trillion combinations", what does that really mean? It means an attacker would need to try, on average, half of those combinations before finding your password. This is called a brute force attack - systematically trying every possible combination until the correct one is found.
The time required to crack a password depends on two factors: how many possible combinations exist (the "search space") and how fast an attacker can try them (guesses per second).
Online Attacks (Throttled): This represents attacking a live website or service. Most legitimate services implement rate limiting, allowing only a few login attempts per second. This is why online attacks take the longest—the attacker is limited by the speed at which the server will respond to authentication attempts. This is your best-case scenario.
Online Attack (Fast): Some poorly configured services don't implement rate limiting, allowing attackers to try hundreds of thousands of passwords per second. This is why even moderate passwords can fall quickly to determined attackers targeting vulnerable services.
⚠️ The Real Threat: Offline Attacks
The most dangerous scenario is when an attacker obtains a database of password hashes from a data breach. At that point, they can attack your password offline at incredible speeds, limited only by their computational resources—not by network speed or rate limiting.
When a service is breached and password hashes are stolen, attackers can attempt to crack them offline at incredible speeds. This is where password strength truly matters:
Slow Hash Functions (bcrypt, scrypt, Argon2): Modern websites use "slow" hashing algorithms specifically designed to resist brute force attacks. Even with a single powerful CPU, an attacker can only test about 100 million passwords per second. This is why good services use these algorithms—they make cracking exponentially harder.
Fast Hash Functions (MD5, SHA1): Unfortunately, many older systems and poorly designed websites still use fast hashing algorithms. With a modern GPU, an attacker can test 10 billion passwords per second. This is why the same password that would take years to crack online might fall in seconds offline.
Modern graphics cards (GPUs) are incredibly efficient at password cracking because they can test millions or billions of passwords simultaneously. A single consumer-grade GPU can test billions of password combinations per second against weak hashing algorithms like MD5 or SHA1.
Professional attackers don't stop at one GPU. A massive cracking array might consist of 8-16 high-end GPUs working in parallel, multiplying the attack speed by orders of magnitude. These rigs can be rented on cloud computing platforms for surprisingly little money.
⚠️ Reality Check: When we show "100 billion guesses per second," this isn't theoretical. Modern consumer GPUs can actually achieve these speeds when cracking passwords with weak hashing algorithms like MD5 or SHA1.
Here's a critical insight: "Tr0ub4dor&3" (a complex 11-character password) has about 41 thousand years of protection against massive cracking arrays. But "correct horse battery staple" (a 28-character phrase with only lowercase and spaces) would take over 550 billion years to crack with the same attack.
The Math: Each additional character multiplies the search space by your character set size. Going from 11 to 28 characters provides exponentially more protection than adding special symbols to a short password.
The Usability: "correct horse battery staple" is much easier to remember than "Tr0ub4dor&3"!
Most password compromises don't happen through brute force at all. They happen through:
• Phishing: You give your password away to a fake login page
• Data Breaches: A service you use gets hacked
• Password Reuse: Your password from a breached site works elsewhere
• Keyloggers: Malware captures what you type
• Social Engineering: Someone tricks you into revealing it
This is why a comprehensive security strategy includes:
1. Long, unique passwords for every account (12+ characters minimum)
2. A password manager to remember them all
3. Two-factor authentication wherever possible
4. Regular security audits of your accounts
Based on current technology and attack methods, here are practical guidelines:
Minimum Security (Online accounts):
• At least 12 characters
• Mix of character types
• No dictionary words or personal info
• Should show "years" even against massive cracking arrays
High Security (Financial, email, password manager):
• 16+ characters
• Completely random or long passphrase
• Should show "centuries" or more against supercomputers
• Enable two-factor authentication
Maximum Security (Encryption keys, critical systems):
• 20+ characters
• True random generation
• Should show astronomical time periods even at fastest attack speeds
If you've tested your passwords and found them wanting:
1. Don't panic—but do take action soon
2. Start with critical accounts: email, banking, password manager
3. Use this tool's generator to create strong passwords
4. Store them in a password manager—don't try to remember them all
5. Enable 2FA wherever possible for an extra layer of security
Remember: the best password is one that's both strong and unique. Even a perfect password doesn't help if you use it everywhere and one site gets breached.