Password strength checkers estimate how long it would take to crack a password — measured against modern attack techniques like brute force, dictionary attacks, and pattern recognition. The strength bar most signup forms show is often shallow; a proper checker considers entropy, common-password lists, dictionary words, and predictable substitutions.
This guide covers what strength means, how checkers estimate it, and what to do when your current password rates weak.
What "Strength" Actually Measures
- Entropy — Bits of randomness; more = stronger
- Time to crack — Estimated based on attack speed
- Dictionary check — Is the password a known word?
- Pattern recognition — qwerty, abc123, dates, keyboard walks
- Common substitutions — P@ssw0rd is barely better than password
- Breach database — Has this exact password leaked?
Strength Tiers
- Very weak — Crackable in seconds (password, 12345)
- Weak — Crackable in hours (8 chars, dictionary based)
- Moderate — Crackable in days (10-12 chars, some randomness)
- Strong — Crackable in centuries (14+ chars, random)
- Very strong — Effectively uncrackable (16+ random)
Time-to-Crack Caveats
- Estimates assume offline attack with modern GPU rigs
- Online attacks (against login forms) are much slower due to rate limits
- The relevant threat for most users is database breach + offline cracking
- Estimates from 2026 will be optimistic by 2030 as hardware improves
What Weakens Passwords
- Dictionary words (any language)
- Names, dates, places
- Keyboard patterns (qwerty, asdf)
- Number patterns (123456, 111111)
- Common substitutions (@ for a, 3 for e)
- Appending year (password2025)
- Reused from another site (may be in breach database)
What Strengthens Passwords
- Length (most impactful single factor)
- Random character selection
- Mix of character types
- No connection to personal information
- Unique per site
The Substitution Myth
Replacing letters with numbers/symbols (a→@, e→3, i→1) adds almost no entropy because attackers know these patterns. "P@ssw0rd!" is in every cracking dictionary. Random characters in random positions matter; predictable substitutions don't.
Common Use Cases
- Auditing an existing password's strength before reusing
- Teaching password security in workshops
- Verifying generated passwords meet target strength
- Convincing colleagues to update weak passwords
- Checking before signing up for high-value accounts
Strength Checker Limitations
- Cannot check against full breach databases (privacy risk to upload)
- Estimates vary between tools using different models
- Length-based scoring misses dictionary issues
- Cannot detect personal context (your birthday is dictionary-trivial)
Common Pitfalls
- Trusting weak strength meters. Signup forms often show "strong" for predictable passwords
- Typing real passwords into web tools. Use offline or browser-local checkers
- Believing 8 chars is enough. Modern GPUs crack 8-char passwords in hours
- Adding complexity, not length. A longer simple password often beats a short complex one
- Reusing strong password. Strength doesn't matter if site breach exposes it
If Your Password Rates Weak
- Generate a new random password (16+ chars)
- Save it in a password manager
- Update on the site
- Enable two-factor authentication
- Check haveibeenpwned.com for prior breaches
Beyond Strength
- Strong password + 2FA > very strong password alone
- Unique per site > one super-strong password reused
- Password manager makes both feasible
- Passkeys (where supported) bypass the password question entirely
Quick Tips
- Length matters more than complexity
- 16+ random characters for important accounts
- Never trust signup form strength meters alone
- Don't paste real passwords into untrusted tools
- Always pair strong password with 2FA
Use the Password Strength Checker on Popupnote
The Password Strength Checker on Popupnote provides a clean tool for estimating password strength against modern cracking techniques — for personal audits, teaching security awareness, and verifying generated passwords. The tool runs in your browser without any account required.