How long does it take to crack a password?

Crack time depends on entropy and attack speed. PassKit.in calculates at 10 billion guesses/second (offline brute-force with modern GPU). Results: 8-char all-type = ~5 hours; 12-char all-type = ~34 years; 16-char all-type = ~4 million years; 20-char all-type = longer than age of universe. Online attacks (rate-limited) are 10 million× slower.

What is password entropy?

Password entropy measures unpredictability in bits. It equals log₂(charset_size) × length. Charset sizes: lowercase only = 26, alphanumeric = 62, all ASCII printable = 94. A 16-character password using all types has ~104 bits entropy. NIST considers 80+ bits strong. At 128 bits, a password is considered computationally uncrackable with any foreseeable technology.

🔐 CRYPTOGRAPHICALLY SECURE — Analysis is 100% local

Password Strength Tester

Analyze any password — see exactly how strong it is and how to improve it

🔒 Your password never leaves your device. All analysis is 100% local JavaScript. Nothing is transmitted.

Also check HaveIBeenPwned breach database

—

⏱ Estimated Time to Crack

—

Offline brute-force attack · 10 billion guesses/second · —

Security Level

🔍 Detailed Breakdown

— bits entropy charset: — — unique chars 🔐 Local Analysis

💡 How to Improve

🛡️ Breach Check

Checking HaveIBeenPwned securely (k-anonymity)…

🔐 Privacy: Only first 5 characters of the SHA-1 hash are sent. Your actual password is never transmitted. This is called k-anonymity.

🔍

Start typing a password above

Results update live as you type

📊 Weak → Strong Comparison

Password	Strength	Crack Time	Why?
`password`	Very Weak	Instant	Common password, dictionary word
`p@$$w0rd`	Fair	2 seconds	Still a known substitution pattern
`Tr0ub4dor&3`	Good	3 days	Complex but short (11 chars)
`correct-horse-battery-staple`	Strong	550+ years	Long, memorable, high entropy
`X9#kP2mQr7vL!nW4`	Strong	Millennia	16 chars, all types, random

How Is Password Strength Measured?

Password strength is measured by entropy — a mathematical value in bits representing how unpredictable the password is. The formula is log₂(charset_size) × length. But raw entropy is only part of the picture: PassKit.in also detects pattern weaknesses that reduce effective security, including dictionary words, keyboard walks (qwerty, 12345), repeated characters, dates, and common substitutions (@ for a, 3 for e).

Password Entropy Scale — What the Numbers Mean

0–40 bits (Weak): Crackable in seconds to hours. Common passwords, short passwords, keyboard walks.
40–60 bits (Fair): Crackable in hours to weeks with offline attack. Acceptable only for low-risk accounts.
60–80 bits (Good): Crackable in months to years. Sufficient for most accounts with a password manager.
80–128 bits (Strong): Would take thousands to millions of years. Recommended for all accounts.
128+ bits (Very Strong): Computationally uncrackable with any foreseeable technology.

How Long Would It Take to Crack Your Password?

PassKit.in estimates crack time using an offline brute-force attack at 10 billion guesses per second — a realistic model for a GPU-equipped attacker who has stolen a hashed password database. Common real-world benchmarks: a high-end GPU cluster achieves 10–100 billion MD5 hashes/second. For bcrypt-hashed passwords, the rate drops to thousands per second, making even shorter passwords very safe.

Common Password Weaknesses PassKit Detects

Dictionary words — any recognizable word reduces effective entropy dramatically
Keyboard patterns — qwerty, asdf, zxcv, 12345678 are in every attacker's first pass
Repeated characters — aaaaaa, 111111, or character repetition within a password
Dates and years — 1990, 2024, Jan, birthday patterns are common guesses
Leet substitutions — p@ssw0rd and similar patterns are well-known to crackers
Short length — any password under 12 characters is vulnerable to GPU brute force

Frequently Asked Questions

PassKit calculates entropy as log₂(charset_size) × length. It then applies penalties for detected patterns: dictionary words, keyboard walks, repeated characters, dates, and l33t substitutions. The final score (0–100) maps to Weak / Fair / Good / Strong. The crack time assumes an offline brute-force at 10 billion guesses/second.

Security experts consider 80+ bits of entropy strong for most purposes. NIST SP 800-63B recommends focusing on length rather than complexity. For a password manager master password, aim for 100+ bits. PassKit displays entropy in real time — use the generator tool to create passwords that score 80+ bits automatically.

No — the strength test is entirely local. Your password is analyzed in JavaScript running in your browser. Nothing is transmitted. The breach check (available on the dedicated Breach Check page) also never sends your actual password — it uses k-anonymity, sending only the first 5 characters of the SHA-1 hash.

Because length contributes more to entropy than character variety. A 20-character lowercase-only password has log₂(26) × 20 = 94 bits of entropy. A 10-character all-type password has log₂(94) × 10 = 66 bits. The 20-char lowercase password is harder to crack despite using only letters. This is why security experts now emphasize length above all else.