How To Measure Password Strength
📖 Bu rehber ToolPazar ekibi tarafından hazırlanmıştır. Tüm araçlarımız ücretsiz ve reklamsızdır.
What strength meters try to measure
Password strength meters often lie. “Tr0ub4dor&3” scores “strong” on most meters but takes hours to crack; “correct horse battery staple” scores weak but takes centuries. Strength is about entropy and resistance to known attacks, not about symbol mixing. This guide covers what password strength actually measures, the meters that get it right (zxcvbn) vs the ones that get it wrong (rule-based), how length beats complexity, why breach-checked matters more than “strong,” and practical guidance on building passwords that resist real-world attack patterns.
The rule-based meter problem
Three common methods, in decreasing order of badness:
Length beats complexity
The rules “uppercase + digit + symbol + 8 chars” came from a 2003 NIST doc. NIST retracted that guidance in 2017, but corporate IT kept it.
zxcvbn — the right meter
A 12-char password from a 26-letter alphabet has 26¹² ≈ 9.5 × 10¹⁶ combinations. A 16-char password from a 26-letter alphabet has 26¹⁶ ≈ 4.3 × 10²². Four extra lowercase characters add more entropy than adding uppercase and digits.
Breach exposure > theoretical strength
Practical implication: passphrases of 4-6 random words beat “strong” 8-char passwords both in security and memorability.
Attack models matter
Checks 30,000+ most common passwords.
What strength doesn’t protect against
Outputs a score 0-4 and an estimate of guesses needed. 4 ≈ “safe from offline slow-hash crack with 10 years effort”. 3 ≈ “safe from offline fast-hash”. 2 ≈ “safe from online throttled”. 0-1 ≈ crack within minutes.
Good passwords by use case
Use both. Breach-clean + zxcvbn 3+ is a reasonable bar.
Common mistakes
Strength depends on how an attacker can try passwords:
Run the numbers
Design for the worst case: offline fast hash. If your password would crack there, it’s too weak.