Password Strength Tester
Realistic security score • Entropy • Crack time • Pattern & leetspeak detection
How to Create a Strong Password
Length is the single biggest factor
Every extra character multiplies crack time exponentially. In 2026, the recommended thresholds are: 16 characters — minimum, 20+ — recommended for all accounts (email, banking, password manager master password). A random 20-character passphrase is astronomically stronger than a complex 8-character password.
Passphrases: randomness is everything
Four or more random words are easier to remember and far stronger than a complex short password. But the key word is random — not any phrase you can think of:
- Weak —
Ilovefootballandpizza— long but completely predictable; every word is common and the phrase has meaning to you - Strong —
violet-engine-river-planet-42— random, unrelated words with no personal connection
A strong passphrase must be: random (no personal meaning), unpredictable (not from books, films, or song lyrics), and unique (never reused across accounts). Use a password manager to generate and store them.
What this tool detects (v2)
- Dictionary words — 200+ common Italian and English words, even embedded inside longer passwords
- Leetspeak substitutions — "p@ssw0rd" and "c4n3" are normalised and checked; attackers do this automatically
- Keyboard sequences — "qwerty", "asdfg", "12345" and their reverses, all lengths from 3 upward
- Date patterns — years (1900–2099), birthdays, dd/mm/yyyy formats
- Word+number patterns — "Dog2024!" is the most common format in breach databases worldwide
- Repeated characters — "aaa", "111", "!!" add no meaningful security
- Common suffixes/prefixes — "1", "123", "!" appended or prepended to a word
What entropy means
Entropy (bits) measures the theoretical unpredictability of your password based on character set size and length. As a reference: under 40 bits is weak, 60+ is good, 80+ is strong. This tool goes further — zxcvbn models how attackers actually guess, penalising predictable patterns that inflate raw entropy. A password can have high entropy on paper but still be cracked in seconds if it follows a known pattern.
Crack time scenarios explained
GPU cluster — an attacker with an offline cracking rig running 10 billion guesses/second against a leaked hash (MD5, NTLM). This is the worst-case scenario for data breach victims, and the most relevant threat model for choosing a password length.
Online attack — an attacker targeting a live login form, throttled to ~100 attempts/hour. Most accounts survive this unless the database itself is compromised — which is exactly why the GPU scenario matters.
Common mistakes to avoid
- Using your name, birthday, pet's name, city, or favourite team — all in attacker wordlists
- Leetspeak substitutions: "p@ssw0rd", "c@ne", "c4lc10" — checked automatically by cracking tools
- Reusing the same password across multiple sites — one breach exposes all of them
- Keyboard sequences: "qwerty", "123456", "asdfgh", "zxcvbn"
- Appending "1!" or "123" to a word to meet complexity requirements
- Word+year patterns: "Cane2024", "Estate23!", "Admin2025"
- Passwords under 16 characters — even complex ones fall quickly against a GPU; 16 is the minimum, 20+ is the target
Use a password manager
Bitwarden (free, open source) generates truly random unique passwords of 20+ characters for every site. You only need to remember one strong master password — itself ideally a 5-word passphrase. It also monitors your saved accounts against known breach databases and alerts you automatically.
Two-factor authentication (2FA)
Even a perfect password can be stolen through phishing or server-side breaches. 2FA adds a second layer that stops attackers even when they have your password. Enable it on your email account first — it is the master key to every password reset link and everything else.