How Password Crack Time is Calculated
The strength of a password is measured in bits of entropy, which represents the uncertainty or randomness in the password. The higher the entropy, the stronger the password.
Entropy is calculated using the formula: log2(C^L) where:
- C is the cardinality (number of possible characters in each position)
- L is the length of the password
Different character types contribute to the total cardinality:
- Lowercase letters (a-z): 26 possible characters
- Uppercase letters (A-Z): 26 possible characters
- Digits (0-9): 10 possible characters
- Common symbols (!@#$%^&*...): 33 possible characters
For example, a password using all character types would have a cardinality of 95 (26+26+10+33).
The crack time is calculated by converting the entropy into the number of possible combinations and then estimating how long it would take to try them all.
The formula used is:
crack_time = (2entropy / 2) / guesses_per_second
Where:
- 2entropy is the total number of possible combinations
- We divide by 2 because on average, the attacker would find the password after searching half the space
- guesses_per_second is the attacker's guessing speed (10 billion guesses/sec for offline attacks)
We consider different attack scenarios:
- Online attacks: ~1,000 guesses/second (throttled by servers)
- Offline attacks: ~10 billion guesses/second (with dedicated hardware)
Our calculator uses the offline attack scenario as it represents the worst-case scenario for password security.
The analyzer looks for common patterns that reduce password strength:
- Dictionary words and common passwords
- Repeated characters or sequences
- Keyboard patterns (like "qwerty" or "1qaz2wsx")
- Dates and years
- Personal information (names, usernames, etc.)
Each pattern found reduces the effective entropy of the password, as attackers use these patterns in their cracking attempts.