How Long Until Someone Cracks It?
password — cracked in 0.0000001 seconds. It’s the first thing in every attacker’s dictionary.
P@ssw0rd — looks complex, right? An attacker’s tool knows that people substitute a with @ and o with 0. It falls in under a minute with a rules-based dictionary attack.
j7$kQ2m!vP9xL4 — now we’re talking. Fifteen random characters from a 95-character pool. At 1 billion guesses per second (a realistic rate for a GPU cluster), brute-forcing this would take roughly 2.5 million years.
correct-horse-battery-staple — all lowercase, no special characters, but 28 characters long. Length dominates. Brute-forcing the character space would take longer than the age of the universe.
This tool shows you exactly where your password falls on that spectrum. It runs entirely in your browser — your password never touches a network connection.
What the Numbers Actually Mean
The crack time estimate assumes a pure brute-force attack at 1 billion guesses per second. That’s roughly what a mid-range GPU can do against unsalted SHA-256 hashes. Here’s the math:
The character set size depends on what’s in your password. Lowercase only? That’s 26 characters per position. Add uppercase: 52. Add digits: 62. Add symbols: 95. Raise that to the power of your password length, divide by 2 (on average you’ll find it halfway through), divide by the attack speed.
An 8-character password with all character types: 95^8 / 2 / 10^9 = about 33 days. That’s not great.
A 16-character password with all types: 95^16 / 2 / 10^9 = about 1.3 x 10^15 years. That’s very great.
Length beats complexity every time. A 20-character lowercase password (26^20) is astronomically stronger than an 8-character password with every character type (95^8).
Where This Falls Short
The brute-force estimate doesn’t account for smart attacks. Real attackers use:
- Dictionary attacks — trying every word in a wordlist (rockyou.txt has 14 million entries)
- Rules-based attacks — applying common substitutions (a->@, s->$, o->0) and patterns (capitalize first letter, add number at end)
- Credential stuffing — trying passwords leaked from other breaches
Summer2024! has decent brute-force resistance, but it’ll fall in seconds to a rules-based dictionary attack because it follows a hyper-common pattern: Season + Year + Symbol.
The meter gives you a solid baseline, but keep in mind that randomness matters as much as length. A password generated by a machine is always stronger than one composed by a human, because humans are predictable.
Auditing Your Accounts
Pull up your password manager and sort by strength. Run your weakest passwords through this meter. Anything below “Good” should get replaced immediately — especially for email, banking, cloud storage, and anything with payment information.
If you don’t have a password manager yet, start today. Use the Password Generator on Toolsvu to create random passwords for each account, and the Passphrase Generator for your master password (something you can actually type from memory).
All analysis runs client-side. Disconnect your internet and the tool keeps working. Your passwords stay on this page and nowhere else.