How password strength is actually measured
Most password strength meters are lying to you. Not on purpose, but the green "Strong!" bar you have been trusting rewards exactly the passwords an attacker cracks first.
Here is the thing almost every strength meter gets wrong. It counts characters and does a little arithmetic, then tells you a tortured mess like P@ssw0rd1 is strong because it has an uppercase letter, a number, a symbol, and nine characters. An actual attacker cracks that in well under a second. The meter and the attacker are looking at the same password and seeing completely different things, and only one of them is right.
So the real question is not "how strong is this password." It is "strong against what, and measured how." There are two honest ways to measure password strength, and which one applies depends entirely on who made the password.
Why who made the password changes how you measure it
If a machine generated your password by picking each character at random, the math is clean. Every character was an independent, unpredictable choice, so you can count the possibilities directly and get a number that means what it says. This is entropy, and for a randomly generated password it is exact.
If a person made up the password, that same math falls apart. People do not pick characters at random. They pick a word, capitalize the front, stick a number and a bang on the end, and swap an o for a 0 if they are feeling fancy. An attacker knows all of this, so they do not guess randomly either. They guess the way people actually build passwords, in order of likelihood, and the "possibilities" the naive formula counted were never really in play.
This is the whole problem with strength meters. They run the math meant for random passwords on passwords that humans wrote, and humans are predictable.
What entropy measures, and when it is honest
Entropy is the count of how many passwords yours could have been, expressed in bits. For a generated password it is the gold standard, because the count is real. Twenty random characters from a full keyboard is about 128 bits, and there is no shortcut an attacker can take. They have to grind through the space, and the space is absurdly large.
The number stays honest as long as the randomness is real. The moment a human is choosing, the count becomes fiction, because the attacker is not drawing from the full space. They are drawing from the small, predictable corner of it that people actually use.
Why the same formula is exact for one password and fantasy for another
The formula is bits = length ร logโ(charset), and it assumes every character is an independent uniform draw from the alphabet. For a generator using a real random source, that assumption holds exactly, so the entropy is a true floor on the attacker's work.
For a human-chosen password the assumption is simply false. The characters are not independent (the letter after q is almost always u), they are not uniform (e beats z by miles), and the structure is predictable (word, then capital, then digits). The formula still spits out a big number, but it is counting a space the attacker never searches. Summer2025! computes to about 72 bits and is worth a tiny fraction of that in practice.
How a real strength estimate works
If counting possibilities does not work for human passwords, what does? You estimate how an attacker would actually guess, and you count how many guesses it takes to reach the password. That is what a serious strength estimator does, and the best-known one is a tool called zxcvbn.
Instead of pretending every character is random, it looks for the patterns people lean on. Dictionary words. Names. Dates and years. Keyboard runs like qwerty or 123456. The predictable letter-to-symbol swaps. It finds the cheapest way an attacker could describe your password, then reports how many guesses that description would survive. The answer is usually far smaller, and far more honest, than the naive formula.
This is why a good tool uses different measurements in different places. When it generates a password for you, it reports true entropy, because the password really is random. When it checks a password you typed in yourself, it runs a pattern-aware estimate, because you are a human and the formula would flatter you.
How zxcvbn estimates guesses
zxcvbn breaks a password into the most probable sequence of patterns: dictionary matches (against word lists, common passwords, names), spatial patterns (keyboard walks), repeats, sequences, dates, and so on. Each pattern type has an estimated guess count. A common dictionary word is cheap. A word with a predictable capital and a leetspeak swap is only slightly more expensive, because the attacker tries those transformations automatically.
It then finds the combination of patterns with the lowest total guess count, since an attacker takes the cheapest path, and reports that. The result is an estimate of guesses-to-crack rather than a theoretical space size. It is not perfect, no estimator is, but it fails in the safe direction far more often than the naive formula, which fails by overstating.
What does "time to crack" actually mean?
A guess count on its own does not tell you whether to worry. You have to divide it by how fast someone can guess, and that speed swings wildly depending on the attacker. The same password can be safe for a thousand years against one and gone before lunch against another.
| Attacker | Guesses per sec | The situation |
|---|---|---|
| Online, throttled | ~100 |
Guessing against a live login that locks them out after a few tries |
| Offline, fast GPU | ~10 billion |
They stole a password database and crack it on their own hardware |
| Offline, big cluster | ~1 trillion |
A funded operation with a rack of machines and a reason to care |
A password that shrugs off the online attacker can still fall to the offline one in minutes, because the offline attacker is not waiting on anyone's login form. This is why an honest crack-time readout lets you pick the attacker. A throwaway forum login and the master password on your password manager do not face the same threat, and they should not be judged by the same clock.
Turning guesses into time
Once you have a guess count G (true entropy gives G = 2^bits; an estimator gives G directly), the average crack time is half the space divided by the rate:
average time = (G / 2) / guesses per second
An attacker hits the answer halfway through on average, hence the divide by two. A 70-bit password against the 10-billion-per-second GPU works out to roughly 2^69 / 10ยนโฐ โ 59,000 years. Trim it to 45 bits and the same hardware is done in under an hour. The gap between "fine" and "gone" is only a couple dozen bits, which is why every bit counts.
So which number should I trust?
Trust the measurement that matches how the password was made. If a generator built it at random, the entropy is real and you can take it at face value. If you made it up, ignore any meter showing a cheerful character-count score and find one that does pattern-aware estimation, because that is the only kind that sees your password the way an attacker will.
And the most reliable move of all is to not hand-make passwords for anything that matters. A generated random password sidesteps the entire measurement problem, because there is nothing for an attacker to pattern-match. More on what makes a password strong in the first place.
Common questions
Are password strength meters accurate?
Often no. Many run a character-count formula meant for random passwords on passwords humans wrote, which overstates strength badly. A meter that does pattern-aware estimation (the kind that recognizes dictionary words, dates, and keyboard runs) is far more honest than one showing a simple complexity score.
What is the difference between entropy and a strength estimate?
Entropy counts how many passwords yours could have been, and it is exact for a randomly generated password. A strength estimate guesses how an attacker would actually crack a human-chosen password by spotting predictable patterns. Use entropy for generated passwords and pattern-aware estimates for ones a person made up.
What is zxcvbn?
It is a widely used password strength estimator that scores a password by how an attacker would really guess it, recognizing dictionary words, names, dates, keyboard patterns, and common substitutions, rather than just counting character types. It reports a realistic guesses-to-crack figure instead of a theoretical one.
Why does the same password show different crack times?
Because crack time depends on how fast the attacker can guess, and that ranges from about a hundred guesses a second against a live login to a trillion a second on a dedicated cluster. A good tool lets you pick the attacker so the number reflects your actual threat.
How many bits of entropy is safe?
For a generated random password, 70 to 80 bits is comfortable for important accounts and past 100 is effectively uncrackable. For a human-chosen password the bit count is unreliable, so lean on a pattern-aware estimate instead.