Safely Test Your Password Strength.

Password Strength Test

With the number of accounts people maintain, both on and off the Internet, creating strong passwords is a challenge. If you’re worried about having your information exposed because of a weak password, use this password strength test to check the quality and security of your passcode.

How secure is my password?

A secure password is very different today than it was ten years ago. Strong passwords require more variance and randomness than ever. A single regular word where a's are replaced with @'s and o's become zeros, like P@$$w0rd!, used to be a common – and secure – password. Likewise, three unrelated words with no special characters combined, like windowparachutewheels, would have worked a few years ago.

But now, neither of those passwords is considered secure. The password strength test says it would take less than a second to crack P@$$w0rd! in an offline attack with fast hashing and only three seconds to crack windowparachutewheels in the same attack. Cracking these passcodes may take longer in less aggressive incidents, like throttled attacks, but the fact remains that passwords must be stronger than ever.

Check your password with the password strength test.

Though each password is different, length and diversity are key when you create a password. Try different combinations of uppercase and lowercase letters, numbers, and special characters, and make sure you create a password of more than 20 characters for the best results. The password jY82!xm90rTyU2!7!lxm, for example, is 21 characters made up of letters, numbers, and exclamation points. It would take the same offline attack with fast hashing centuries to crack.

How does the password strength test work?

The password strength test analyzes your password. It reviews how long it would take to crack with four different types of cyberattacks - a throttled online attack, an unthrottled online attack, an offline attack with slow hashing, and an offline attack with fast hashing - and offers tips for increasing the password’s strength based on what you entered. With this information, you can revise your password to make it stronger or opt to generate a stronger, new password altogether with a password generator.

The password strength test is written entirely in JavaScript, meaning that the processing is done completely on your device. No password information you test stays on this site. It’s completely safe to test any password using our password tester. If I need to improve my account security, the best thing to do is test my passwords to improve their strength; my information will stay secure in the online password tester tool, but I'll improve my account protection overall.

What are the cyberattacks shown in the test?

The password strength test shows how strong your password is against four kinds of password attacks, as listed above. It covers throttled online attacks, unthrottled online attacks, an offline attack with slow hashing, and an online attack with fast hashing. While you can still use the tool without understanding each attack, knowing the difference can be helpful.

Online attacks

Online attacks typically happen on a website or at the login interface. These are more traditional attacks in which a cyberattacker attempts to crack a password by entering numerous username and password combinations into the login portal. These attacks take longer because they occur through a website rather than through the server or backend. They also vary in success depending on factors such as the level of throttling involved.

Throttling in online attacks refers to the limitations placed on the number of times a person can attempt to enter a password. This isn't something a user sets with their passwords. Instead, the server or site storing the passwords sets it.

In a throttled online attack, a hacker is limited by the amount of times they can try to access the server. This isn't the case in an unthrottled online attack, which lacks limitations for attempted access.

Offline attacks

Offline attacks are much more harmful and can occur much faster than online attacks. With offline attacks, the cyberattacker has access to the server storing the passwords or other sensitive data and attempts to crack it. Once they have access, they make all of the information in the server available.

However, having access to the server doesn't necessarily that all of your information will instantly be exposed. Whereas online attacks are limited by throttling, offline attacks are limited by hashing.

Hashing functions as a countermeasure against online attacks. All of your data and passwords are stored in cryptographic hash rather than in plaintext. This essentially means that the cyberattacker needs to crack another code or script in order to know your passwords.

Fast hashing is easier to calculate and compute, but this also means they're easier to crack. Offline attacks with fast hashing are the quickest route to information for hackers and other cybercriminals. Slow hashes, on the other hand, are more difficult to calculate. These complications make it harder for cyberattackers to decode the data and access your passwords.

How can I protect against these attacks?

Ultimately, though strong passwords are important, you don't know what type of security or storage each server uses. Therefore, you can only protect so much against online and offline attacks. The security of each site plays a large role in how safe your passwords are.

However, to protect against widespread damage from these attacks, the best thing to do is only use each password once. Regardless of the importance of each account, reusing passwords puts you at risk for additional damages should someone compromise one of your passwords. You can't know exactly what type of protections each server uses. This means that your best defense is using strong passwords and only using each once.

How to check if your password is strong

A strong password should be one that is not easily guessed by anyone. It shouldn’t relate to personal information, such as the name of a pet or a date significant to you. That information is easy to remember. However, it makes it more likely that a hacker could guess your password based off a social media profile or knowledge of your general interests.

To avoid creating weak passwords, make sure to include uppercase letters, lowercase letters, numbers, and special characters in each of your passwords. A variety of upper- and lowercase letters, as well as numbers and symbols like an exclamation mark or dollar sign, increase the difficulty of any password, no matter how simple it originally may have been.

Most experts recommend that passwords contain at least 8 to 12 characters. However, don’t feel restricted by this password length. The Cybersecurity & Infrastructure Security Agency (CISA) advises that the longer a password is, the more secure it is.

The National Institute of Standards and Technology (NIST) has recently revised their recommendations. They now allow passwords a maximum of 64 characters. A password that long, with a combination of the four character elements above, is highly unlikely to get cracked with today’s technology. In the tool above, a password of at least 20 characters made up of a combination of letters, numbers, and special characters would take centuries to crack by any of the attack methods.

What are the easiest passwords to guess?

The easiest passwords to guess are ones that spell out real words or phrases with no character variation. For example, anyone who knows your basic information can guess a password that spells out your name and your birth year. Don't create a password using information someone could find such as your birthday, which someone can find in online records, or your IP address, which someone can find on the What's My IP website.

Furthermore, common passwords like 12345678 and password are weak and easily guessable. Try instead more unique passwords that don’t mean anything to anyone except for you; this will make it possible for you to remember your password without making yourself vulnerable.

Use a passphrase instead of a password

Using a passphrase instead of a password is one option for creating a more secure password. Take a phrase and use the first letter of each word, then add characters and numbers.

For example, “This is my favorite passphrase turned into a password!” becomes TimFPtiaP!92. Users may find this easier to remember, but hackers will find it more difficult to crack.

Using password managers for better password strength

For users who struggle to remember their passwords or have difficulty coming up with strong passwords on their own, password managers are a good option. Password managers, like RoboForm, create and store unique, hard-to-crack passwords in their system for each user. The user creates a master password, which is the only key they must remember. Make sure to test the password strength of the master password, however.

Using a password manager helps users protect against data breaches, since each password is unique. It makes it nearly impossible for hackers to guess the passcodes with brute force.

Use a password manager to create strong passwords. Then, test the passwords in the tool above to see just how well password managers really do work.