Enter Password Length: Select Character Set
Enter Password Length:
Select Character Set
- This calculator assumes the password is randomly generated by a password manager (Example: AqdPHw=x7*Mz7LPp).
- Reusing a password gives you a weak score because password reuse increases your chances of being affected by credential stuffing attacks. Every account needs to have its own random password that you never reuse; a password manager makes this easy.
I’ve updated the password strength calculator to reflect 1Password’s findings from this great article.
1Password found that it cost about $770 to crack a 40bit password using their 100,000 iterations of PBKDF2-H256.
I took this baseline and calculated it so that it’s at 1 iteration instead of 100k because we don’t know how all internet passwords are stored, and assuming 1 PBKDF2-H256 is good enough. If the password is stored in MD5 or other weak hashing algos then the cost to crack will be much lower.
From that, we can see what it cost to crack just one password using this calculator.
Time vs. Money
The old calculator would give you a time estimate of how long it would take but going off money is a far better estimate.
The time value can change by how much someone is willing to spend. So if you focus on just the cost to crack the password, you get a more universal answer that is far easier to understand.
Doing it this way can put into context what you’re protecting.
Your Netflix account is worth about $20 a month, so having a password that would take $8,000 to crack might be a little overkill.
But if you have millions in the bank, then having a bank password that takes billions of dollars to crack might be worth it.
Once again, this calculator assumes the password was randomly generated by a password manager.
If you created this password, we must assume it’s weak as people are not good at picking passwords.
Also, this calculator is for passwords and not passphrases. To see how long it would take to crack a passphrase or master password, go here.
Why This Password Cracking Calculator?
The reason for this password cracking calculator is that all the other ones kinda suck.
The first mistake they make is having you type your password on the website. Not only is that dumb, but it poses a security risk. We can easily determine the strength of a password without you typing it in.
The second mistake is that they’re not based on real-world cracking. Them not having real-world math backing up their claims is no better than someone telling you a random number.
The last mistake is that they don’t factor in people-created passwords or people reusing passwords. Most people don’t know reusing passwords is bad because no one is telling them; I go into more detail about how password education happens at the sign-up pages here.