| Attack scenario | Guesses/sec | Time |
|---|
Assumes a brute-force search of half the keyspace. Real attackers try dictionaries and known-breach lists first, so patterned passwords fall much faster than these numbers suggest.
About the Password Strength Checker
Password strength comes down to how many guesses an attacker needs. That is driven by two things: length and the size of the character set actually used. Entropy, measured in bits, captures both — each extra bit doubles the search space. A 8-character lowercase password has about 38 bits (crackable in seconds on a GPU rig), while a 16-character mixed password exceeds 100 bits, which is beyond any realistic brute force. Length beats complexity: adding four characters helps far more than swapping an a for an @, a substitution every cracking dictionary already knows.
Everything on this page runs locally — the password is never transmitted, stored or logged, and you can verify that with the network tab of your browser’s dev tools. For real accounts, the practical advice is: use a password manager to generate long random passwords (see our Password Generator), never reuse a password across sites, and turn on multi-factor authentication anywhere it is offered.
What the Scenarios Mean
- Online attack (10³/s). Guessing against a live login form with rate limiting — slow, and lockout policies usually stop it.
- Offline, single GPU (10¹⁰/s). Attacker has stolen a database of fast hashes (MD5/SHA-1) and cracks them at leisure.
- Offline, GPU rig (10¹²/s). A dedicated cracking rig or cloud fleet against fast hashes — the worst case that matters.
- Slow hash (10⁴/s). Sites using bcrypt/argon2 slow every guess dramatically — one reason strong sites survive breaches better.