In our digital age, the importance of having strong, secure passwords cannot be overstated. With cyber threats on the rise, ensuring that our online accounts are protected is more crucial than ever. In this blog post, I share the core mechanics of measuring a password strength and share a practical approach to estimate how long it might take for a hacker to crack a password. You’ll also get to enter your own password samples to get instant outputs with those metrics below. Let’s dive in.

In general, the longer the password, the more guesses a hacker or a hacking code will need to make. If the password also contains a mix or upper and lowercase letters, combined with numbers as well as symbols, then not only will the cracker have to deal with the length but also the increased combinations from each set. For example, in English alphabet, a single letter will require 26 possible guesses. If there’s a mix of lower and upper case, the number of guesses required double to 52. Similarly, a set of 13 allowed symbols or special characters will add additional character sets and increase it to 65 and that’s keeping the same length. Adding a digit adds another 10 possibilities per digit. You can see the complexity increases here linearly but even quicker when there are more count of each of these types of characters as the number of combinations increase exponentially. All this requires more computation to crack the password, thus requiring more time.
Let’s look at a real, interactive program that you can try your different password examples on. Click on the Run icon in the widget below to run the program. Then type in a sample password, and it’ll tell you the strength of that password and how long it would take to crack it. You can try as many different inputs as you want…just click Run again after each execution to try a new input.
Let’s discuss how the app determines all that.
Assessing Password Strength
The strength is based on the length of the password, and which characters it contains. As discussed earlier, a longer password with a diverse set of character types will generate a stronger password. Therefore, my code counts the number of characters, and gives it a score accordingly. Then it looks at the diversity of the characters and adds to the score (or not add at all) if there are numbers, if there are symbols, if there are upper and lowercases, if there are non-repetitive characters (more repetition means lower score). The app then maps the final score to a textual category from these: Weak, Moderation, Strong, and Very Strong.
Next, let’s talk about the method to estimate cracking time.
Estimating Cracking Time
The app calculates the number of total combinations possible given the total possible characters in the password (remember, more diverse set of characters increases this metric) and the overall length of the password. So, total # of possible combinations = (# of characters in set of character in input) ^ (length of input) [^ here means: raised to the power of]
Next, we have to consider the number of combinations a computer can guess per second. Considering a relatively good performing machine, it can easily do 1 Billion guesses every second. The ‘guesses’ include all the other necessary computing necessary to make a guess, so the actual speed of the CPU is much higher than 1 Billion computations per second. This is a fair assumption. Therefore, using this as a starting number, the app figures out the amount of seconds necessary to guess all the combinations for a given assword. The seconds are then converted by the app to hours, days, months, years depending on the value in an intuitive way so it’s easier to read and understand the time scale.
Here are some example inputs and outputs…these assume the cracking speed of 1B guesses/second.
>>>
Enter a password: BlackCat
Password strength: Moderate
Estimated time to crack: 14.85 hours
>>>
Enter a password: BlackCat@13
Password strength: Very Strong
Estimated time to crack: 13,393 years
>>>
Enter a password: Microsoft/365
Password strength: Strong
Estimated time to crack: 6,342,863 years
As you can see the original password ‘BlackCat’ is assesed to be of Moderate strength by the app, and it estimated it’d take almost 15 hours to crack it by a machine capable of making 1B guesses/second using Brute Force method.
By just adding a symbol and two digits to the original, it becomes a Very Strong password and would take over 13 thousand years to be guessed. It gets the Very Strong designation because there’s a mix of upper and lowercases of letters. In the third example ‘Microsoft/365’ we added more letters, a just one more digit, still keeping one symbol, and it gets “Strong” password designation (because it uses an uppercase letter only once), but the combinations possible gets much harder to crack. It’d theoretically take over 6 million years!
It’s amazing how a few changes can make a big difference in strength as well as guessability.
Here’s the bad news though…today, it’s not unusual for hackers to use machines that can make 350 Billion guesses per second! Let’s see what the cracking time would be at that speed.
Cracking estimates assuming 350 B guesses/second:
>>>
Enter a password: BlackCat
Password strength: Moderate
Estimated time to crack: 2.55 minutes
>>>
Enter a password: BlackCat@13
Password strength: Very Strong
Estimated time to crack: 38 years
>>>
Enter a password: Microsoft/365
Password strength: Strong
Estimated time to crack: 18,122 years
Wow, at that speed we see that now it only takes under 3 minutes to crack the first password that used to take almost 15 hours at 1B guesses/second. And what used to take over 13 thousand years at previous speed now takes 38 years!
Brute Force Attack
In simple terms, in the context of passwords, a brute force attack involves systematically trying every possible combination of characters until the correct password is found. It’s a time-consuming but straightforward method and is surprisingly effective as exemplified above and in many scenarios especially given the raw computing power available to hackers today.
In Conclusion
It’s worth noting that the app does not take into other factors that hackers may take as a shortcut, such as using the common passwords used by most people using a “dictionary”, knowing your first
and last names, your birthday year or month, pet’s name, your city, address, phone digits, etc. which would be the first ones attempted by their algorithm before resorting to brute force method. Such approach employing social, contextual and smarter guesses instead of brute force do result in extremely fast cracking than the theoretical time. That is why, it’s not a good practice to use any commonly used terms as your password, and instead use phrases (along with multi-factor authentication for added protection). I won’t go any deeper into security in this post as that’s a much larger topic, but I hope this app exemplified some concepts around combinations, computing power and putting them into use in real-world use-cases for your own protection. If you’d like to learn more abut cybersecurity and best practices, here is a good resource from CISA: Cybersecurity & Infrastructure Security Agency.
I hope you found this post helpful and interesting. Explore this site for more tips and articles. Be sure to also check out my Patreon site where you can find free downloads and optional fee-based code and documentation. Thanks for visiting!