Bitwarden
bitwarden.com › password-strength
Password Tester | Test Your Password Strength | Bitwarden
Strong and unique passwords can be automatically generated for free using the Bitwarden Password Generator. With this free tool, you can customize the password generator settings, including the number of characters and the use of capitalization, ...
PasswordMonster
passwordmonster.com › home
Password Strength Meter
March 3, 2022 - The password strength calculator uses a variety of techniques to check how strong a password is. It uses common password dictionaries, regular dictionaries, first name and last name dictionaries and others.
Password Strength Testing Tool Strangeness
All password "strength" testing tools that work by analyzing a user-entered password example produce invalid results. They are for entertainment purposes only, and should never be relied on to make decisions related to cybersecurity. Bitwarden's tool is no exception. It is based on zxcvbn tool , which is somewhat better than other password testing tools, but can still produce wildly misleading results. In your case, you may have started with something like hge9e3&jg[s19, which the zxcvbn tool cannot match to its inventory of password patterns, so it conservatively estimates that 1013 guesses (a factor of 10× for each character) would be require to crack this password. It also assumes that an attacker would be limited to making 10,000 password guesses per second (which is unrealistic for your laptop password, but could be plausible for your Bitwarden master password). Thus, the cracking time is estimated to be 1 billion seconds, which is 31.7 years. If you now add a digit (e.g., 3) at the end of your password string (hge9e3&jg[s193), then the zxcvbn tool still cannot match the string to any of its password patterns, so it determines the number of required guesses to be 10× higher than before (1014 guesses). Thus, the estimated cracking time is also going to be ten times longer (317 years, a.k.a. "centuries"). If you now add one more digit (e.g., 4) at the end of the previous string (hge9e3&jg[s1934), then something interesting happens. In this case, the zxcvbn tool recognizes the pattern 1934 as a recent calendar year, a pattern commonly found in passwords. The zxcvbn algorithm therefore estimates that it would take at most 90 guesses to come up with the 1934 pattern by working backwards from 2024 (as opposed to its standard estimate of 10,000 guesses for a 4-character sequence with no recognized pattern). Therefore, the password is now parsed as a random 11-character string (hge9e3&jg[s, requiring 1011 guesses) followed by a 4-character year pattern (1934, requiring 90 guesses). The tool then applies a fudge factor of 2×, coming up with 1.8×1013 guesses for cracking this longer password. With an assumed guessing speed of 104 guesses/second, the cracking time ends up being 1.8 billion seconds, corresponding to 57 years. Do all of these assumptions seem arbitrary? They are. Can we trust the results? No. More on reddit.com
20
16
June 10, 2024Bitwarden Password Strength Tester
The other explanations here are true but maybe this will clarify why. Bad password checkers assume a cracking program will guess, in order: a, b, c, … aa, ab, ac, ad, … and so on forever. Good password strength checkers calculate entropy (~randomness) with the assumption of common reasonable wordlists and standard variations on those words, in addition to gibberish character strings. Password cracking tools don’t tend to guess every single random string of characters from shortest to longest, since many people are more likely to choose real words or variations of words. So, for example, “eggplan” is actually a stronger password than “eggplant” despite having fewer characters. They’re both awful, but any decent password cracking tool will guess a word a human is more likely to choose first (vs egg + plan, two unusual words to combine). “eggplan” will even take longer to crack than “eggpl@nt” because a→@ is such a common substitution for humans trying to strengthen their passwords that password cracking tools will likely try it first. Extending to longer sequences, 3-6 memorable unmodified words chosen randomly from very long lists will usually be both more memorable and harder to crack than 2-3 words with symbols inserted. Edit to add: the best way to get a sense of how this works in practice is here: https://lowe.github.io/tryzxcvbn/ More on reddit.com
97
83
September 19, 2022Password Strength Testing Tool - password from list listed as secure
Don’t use password strength testers… that’s what you missed. They just look for characteristics like length and characters used and aren’t really a good measure of how secure a password is. More on reddit.com
23
61
September 17, 2024What is the best tool/site to test a passwords strength?
Don't ever type the real password you want to test into any online or offline testing. Instead you should construct a different password with similar structures and policies, and use it instead. Also, don't trust the tests because most of them used bruteforce to test, where real world attack uses complex methods like mask, permutation or Markov chain to break your passwords. Not to mention test site only tested to simulate a single machine for cracking, where real life attacker uses computer cluster or high power hardware like ASIC to break your password. More on reddit.com
4
3
August 30, 2016Videos
18:37
Password Strength Checker in Python | Full Python Project (with ...
11:46
How To Make Password Strength Indicator Using HTML CSS ...
16:05
Password Strength Checker in Python - YouTube
02:16
How To Test My Password Strength? - TheEmailToolbox.com - YouTube
00:39
How to Check Your Password Strength - YouTube
02:21
How To Check If Your Password Has Been Compromised | Check Password ...
Security.org
security.org › home › how secure is my password? | password strength checker
How Secure Is My Password? | Password Strength Checker | Security.org
October 14, 2020 - Check how secure your password is using our free online tool. How long would it take a supercomputer to crack your password?
NordPass
nordpass.com › secure password
How Secure Is My Password? | NordPass
Our web-based password strength checker is built on JavaScript and uses a high-security SSL connection. The technology we use in this tool is widely known and is highly trusted. The passwords you type never leave your browser, and we don’t store them.
UIC
uic.edu › apps › strong-password
Password strength test
Disclaimer: This application is designed to assess the strength of password strings. The instantaneous visual feedback provides the user a means to improve the strength of their passwords, with a hard focus on breaking the typical bad habits of faulty password formulation.
Kaspersky
password.kaspersky.com
Password Checker & Secure Random Password Generator | Kaspersky
Check your password security and see if it can resist hackers. Use our random password generator to instantly create strong, unique passwords and stay protected.
Reddit
reddit.com › r/bitwarden › password strength testing tool strangeness
r/Bitwarden on Reddit: Password Strength Testing Tool Strangeness
June 10, 2024 -
I was playing with Bitwarden's Password Strength Testing Tool and discovered unexpected behavior.
I have a password that I use to login to my personal laptop (thirteen characters with letters, digits and symbols). I use the same password with 2 additional digits appended as my Bitwarden Master password.
When I test the laptop password, the testing tool says "Strong" and "31 years" to crack. Seems good so far. Next, I append an additional digit and the Estimated Time to Crack increases to "centuries" which seems even better.
Then I append one more digit and the Estimated Time to Crack goes DOWN to 57 years. Huh?
Why would the Estimated Time to Crack go down when appending a digit to a password that would take "centuries" to crack? I thought appending more characters to a password would always increase the estimated time to crack.
Am I misunderstanding something?
Top answer 1 of 5
17
All password "strength" testing tools that work by analyzing a user-entered password example produce invalid results. They are for entertainment purposes only, and should never be relied on to make decisions related to cybersecurity. Bitwarden's tool is no exception. It is based on zxcvbn tool , which is somewhat better than other password testing tools, but can still produce wildly misleading results. In your case, you may have started with something like hge9e3&jg[s19, which the zxcvbn tool cannot match to its inventory of password patterns, so it conservatively estimates that 1013 guesses (a factor of 10× for each character) would be require to crack this password. It also assumes that an attacker would be limited to making 10,000 password guesses per second (which is unrealistic for your laptop password, but could be plausible for your Bitwarden master password). Thus, the cracking time is estimated to be 1 billion seconds, which is 31.7 years. If you now add a digit (e.g., 3) at the end of your password string (hge9e3&jg[s193), then the zxcvbn tool still cannot match the string to any of its password patterns, so it determines the number of required guesses to be 10× higher than before (1014 guesses). Thus, the estimated cracking time is also going to be ten times longer (317 years, a.k.a. "centuries"). If you now add one more digit (e.g., 4) at the end of the previous string (hge9e3&jg[s1934), then something interesting happens. In this case, the zxcvbn tool recognizes the pattern 1934 as a recent calendar year, a pattern commonly found in passwords. The zxcvbn algorithm therefore estimates that it would take at most 90 guesses to come up with the 1934 pattern by working backwards from 2024 (as opposed to its standard estimate of 10,000 guesses for a 4-character sequence with no recognized pattern). Therefore, the password is now parsed as a random 11-character string (hge9e3&jg[s, requiring 1011 guesses) followed by a 4-character year pattern (1934, requiring 90 guesses). The tool then applies a fudge factor of 2×, coming up with 1.8×1013 guesses for cracking this longer password. With an assumed guessing speed of 104 guesses/second, the cracking time ends up being 1.8 billion seconds, corresponding to 57 years. Do all of these assumptions seem arbitrary? They are. Can we trust the results? No.
2 of 5
3
I don’t know how the BW tool works but there are plenty of ways adding a character could potentially decrease entropy. For example: Adding a character means all or part of your password matches an entry on a known leaked password list Adding a letter means all or part of your password matches a dictionary word, eg to over-simplify you could make a case that ‘dictionar’ is a more secure password than ‘dictionary’ Adding a number means all or part of your password matches a common number combination, eg it forms a date, or worse a famous date or a date that’s traceable to your life. Again to over-simplify you could make a case that 0911200 is more secure than 09112001. But it will all depend what the tool is checking for. And these tools are notoriously unreliable. They are trying to predict what a hacker will prioritise which will never be reliable, and they can only do simple checks that can run in under a second.
Service Victoria
service.vic.gov.au › find-services › personal › password-strength-tester
Password Strength Tester | Keep Your Accounts Safe and Secure | Service Victoria
Have a password you’d like to test? Type it in here, and we’ll check its strength.
Bitwarden
bitwarden.com › password-security-checker
Password Security Checker: Everything You Need to Know | Bitwarden
The checker assesses the password’s resilience to being guessed outright or cracked by cybercriminals using computer-automated hacking tools. When a user creates a password, the security checker ranks its effectiveness using sophisticated algorithms and displays the result to the user. The checker aims to warn users if they’re creating vulnerable passwords, encourage them to use stronger ones, and improve the user’s overall privacy and security online. Ready to test the strength of your passwords?
Delinea
delinea.com › home › password strength checker | how strong is my password?
Password Strength Checker | How strong is my password?
Use our secure password strength checker to test your password strength instantly. Can a computer easily hack your password? See your result in real time!
RoboForm
roboform.com › how-secure-is-my-password
How Secure Is My Password? Password Checker | RoboForm
The RoboForm password strength tester calculates individual password strength using zxcvbn, a powerful open-source password strength estimator. Most password strength checkers merely count lowercase letters, uppercase letters, digits, and symbols (LUDS). They do not take into account dictionary ...
Arsen Security
arsen.co › en › resources › password-strength-checker
Password Strength Checker
Check the strength of your password against cyber attacks. Test the robustness of your password now.
Comparitech
comparitech.com › accueil › privacy security tools › password strength test
Password Strength Test & Strong Password Generator Tool
January 5, 2019 - For passwords of at least 12 characters: Once the password string is obtained, a strength check is performed.
WhatIsMyIP.com®
whatismyip.com › password-strength-test
Password Strength Test - WhatIsMyIP.com®
The password strength test shows how strong your password is against four kinds of password attacks, as listed above. It covers throttled online attacks, unthrottled online attacks, an offline attack with slow hashing, and an online attack with fast hashing. While you can still use the tool without understanding each attack, knowing the difference can be helpful.
Reddit
reddit.com › r/bitwarden › bitwarden password strength tester
r/Bitwarden on Reddit: Bitwarden Password Strength Tester
September 19, 2022 -
In light of the recent LastPass breech I looked at different strength test websites to see how long a password would hold up under a offline brute-force attack.
The password I tried was: Aband0nedFairgr0und
This is a a 19 character password with a combination of uppercase/lowercase/numbers. Granted, there is no special characters.
I went to 5 different password strength sites and they all give me wildly different results for how long it would take to crack.
| https://www.security.org/how-secure-is-my-password/ | 9 quadrillion years |
|---|---|
| https://delinea.com/resources/password-strength-checker | 36 quadrillion years |
| https://password.kaspersky.com/ | 4 months |
| https://bitwarden.com/password-strength/ | 1 day |
As you can see the results are all over the place!
Why is the Bitwarden result so low and if the attacker had zero knowledge of the password, is it feasible to take an average of the diufferent results and assume that password is sronger that 1 day?
PS: Dont worry, Aband0nedFairgr0und is not a password I use and was made up as a test.
Top answer 1 of 5
63
The other explanations here are true but maybe this will clarify why. Bad password checkers assume a cracking program will guess, in order: a, b, c, … aa, ab, ac, ad, … and so on forever. Good password strength checkers calculate entropy (~randomness) with the assumption of common reasonable wordlists and standard variations on those words, in addition to gibberish character strings. Password cracking tools don’t tend to guess every single random string of characters from shortest to longest, since many people are more likely to choose real words or variations of words. So, for example, “eggplan” is actually a stronger password than “eggplant” despite having fewer characters. They’re both awful, but any decent password cracking tool will guess a word a human is more likely to choose first (vs egg + plan, two unusual words to combine). “eggplan” will even take longer to crack than “eggpl@nt” because a→@ is such a common substitution for humans trying to strengthen their passwords that password cracking tools will likely try it first. Extending to longer sequences, 3-6 memorable unmodified words chosen randomly from very long lists will usually be both more memorable and harder to crack than 2-3 words with symbols inserted. Edit to add: the best way to get a sense of how this works in practice is here: https://lowe.github.io/tryzxcvbn/
2 of 5
33
Bitwarden.com uses zxcvbn to calculate the time-to-crack. You can try it online at https://lowe.github.io/tryzxcvbn/ and it'll tell how it arrived at a time of 1 day.
Psono
psono.com › password-strength-test
Password Strength Tester - Check the security of passwords | Psono
Check your password strength and test their security.
Cyber.org
cyber.org › find-curricula › test-strength-your-passwords
Test the Strength of Your Passwords | Cyber.org
This is an educational tool that can be very beneficial in helping students understand why complex passwords are used. It is never recommended that real passwords be used. Enter a Password
DNS Checker
dnschecker.org › password-strength-checker.php
Password Strength Tester - Test Your Password Strength
Password checker is a reliable tool for testing the strength of your passwords. Use it to strengthen your passwords and secure your digital security.
GitHub
github.com › SG-1031 › Password_Strength_Testing_Tool
Password Strength Testing Tool
May 24, 2025 - A simple web-based password strength tester built with HTML, CSS and JavaScript.
Author SG-1031
CatsWhoCode
catswhocode.com › password strength tester: check your password security
Password Strength Tester: Check Your Password Security
January 21, 2025 - The Password Tester evaluates four fundamental security components that determine overall password strength and security level. These elements work together to provide a comprehensive assessment of password security and potential vulnerabilities. ... Password length assessment examines the ...