Password Strength: The Real Math Behind Crack-Time Estimates

Why most strength meters lie\n\nThe typical meter — green bar, yellow bar, red bar — counts characters and maybe capital letters. It rates Password123! as strong (has uppercase + number + symbol). Real-world attackers crack Password123! in under a second because it's on every password list since 2003.\n\n## The real math\n\n### Entropy\n\nEntropy measures how many guesses an attacker needs. For a random password:\n\n``\nentropy = length × log2(charset size)\n`\n\n- 8 chars lowercase → 8 × log2(26) ≈ 37 bits — crackable in seconds on a GPU\n- 12 chars mixed + symbols → 12 × log2(94) ≈ 79 bits — centuries on current hardware\n- 16 chars random → 16 × log2(94) ≈ 105 bits — effectively unbreakable\n\nBut: entropy assumes randomness. Humans don't pick random. Password123! has low actual entropy regardless of its character set.\n\n### Common-password corpus check\n\nHaveIBeenPwned releases a corpus of 850M+ breached passwords. Check against it:\n\n`ts\nimport crypto from 'crypto';\nasync function pwned(pw) {\n const sha = crypto.createHash('sha1').update(pw).digest('hex').toUpperCase();\n const prefix = sha.slice(0, 5);\n const res = await fetch(https://api.pwnedpasswords.com/range/${prefix});\n return (await res.text()).includes(sha.slice(5));\n}\n`\n\nIf your password has ever been breached, it's dead — no matter the entropy.\n\n### zxcvbn-style scoring\n\nDropbox's zxcvbn went further: it parses the password into patterns (dictionary word + number suffix + leet substitutions) and calculates the guessing cost for the cheapest attack path. This is the closest to a realistic strength meter.\n\n## Crack-time estimation\n\nFor a given entropy E, crack time at G guesses/sec is:\n\n`\ncrack_time = 2^E / (2 × G)\n`\n\nMatters: G varies by attack model:\n\n- Online throttled (rate-limited API) — 10 guesses/hr\n- Online unthrottled — 100 / sec\n- Offline slow hash (bcrypt cost 12) — 10k / sec\n- Offline fast hash (MD5 on GPU) — 100B / sec\n\nA password that takes 3 years to crack offline-fast may take centuries against bcrypt. Context matters.\n\n## The free API\n\nPassword Strength API — entropy + zxcvbn-style pattern analysis + 10k common-password corpus + crack time across all 6 scenarios. Free 100/day. Pro $14.99/mo unlimited.\n\n`bash\ncurl 'https://api.lazy-mac.com/password/api/v1/check?password=Password123!'\n# { entropy_bits: 42, score: 1, common: true, crack_time_offline_fast: '<1s' }\n``\n\n## Drop-in replacement\n\nIf you're using zxcvbn today, this API is a server-side drop-in with the same score semantics (0-4) plus the common-password corpus check that zxcvbn doesn't include by default.

Support the work: MCP Pro $29/mo · MCPWatch Pro Report $49 · more posts