"Add a capital letter and a symbol" is terrible password advice. Real strength is about how many guesses it takes to crack — and you can estimate that live in the browser. Here's a password strength meter that does the actual math.
🔐 Test a password (nothing leaves your browser): https://dev48v.infy.uk/solve/day16-password-strength.html
Strength = guesses to crack
The core estimate is entropy in bits: length × log2(poolSize), where the pool is the set of character types used (26 + 26 + 10 + symbols). More length and a bigger pool = more bits = exponentially more guesses.
But entropy isn't enough
P@ssw0rd looks complex but is cracked instantly — it's a dictionary word with predictable substitutions. So you dock points for:
- common passwords (a blocklist)
- dictionary words + leetspeak un-substitution
- repeats (
aaaa), sequences (1234,abcd), and keyboard walks (qwerty)
Crack time makes it real
Turn entropy into guesses (2^bits) and divide by an attacker's rate (~10 billion/sec offline) → "instantly", "3 days", or "centuries." Seeing that number teaches more than any rule.
The real lesson
Length beats complexity. A long passphrase crushes a short "complex" password. (Production: use zxcvbn; servers must hash + salt, never store plaintext.)
🔨 Full build (char pool → entropy → blocklist/pattern penalties → crack-time → meter) on the page: https://dev48v.infy.uk/solve/day16-password-strength.html
Part of SolveFromZero. 🌐 https://dev48v.infy.uk
Top comments (0)