Most of the password security metrics out there are either overly simplified or make too many assumptions. This web app explicitly calculates how many trials would be needed in a trial-and-error (brute force) attack to crack a password. The reported result is a range, which is more realistic than reporting a single value.

If you don't trust this website (and you shouldn't trust any website that randomly or unexpectedly asks for a password), here is how the algorithm works:

1. Determine the highest ASCII value and the lowest ASCII value in the password. The numerical difference between these two will be referred to as the "ASCII range". For example, if the password is "abcde", the lowest ASCII value would be 97 ('a' = 0x61 = 97) and the highest ASCII value would be 101 ('e' = 0x65 = 101), so the range would be 101 - 97 = 4. If a single character is entered, this value is assumed to be 95.

2. Calculate the minimum number of trials and the maximum number of trials needed to crack the password. The minimum number of trials is calculated by evaluating a sum where each term added up is equal to the "ASCII range" + 1 (from Step 1) raised to power of i, where i is the term number in the sum. For the minimum number of trials, the sum runs from i = 1 to i = L - 1, where L is the number of characters in the password. For the maximum number of trials, the sum runs from i = 1 to i = L, where L is again the number of characters in the password. Using the example above (abcde): min = (4+1)¹ + (4+1)² + (4+1)³ + (4+1)⁴ + 1 = 781, and max = (4+1)¹ + (4+1)² + (4+1)³ + (4+1)⁴ + (4+1)⁵ = 3905. A 1 is added to the minimum number of trials, because passwords are usually hashed, so a brute force algorithm can theoretically crack a password when it tries something with the same number of characters or if it gets extremely lucky with that first guess.

3. The minimum time is calculated by dividing the minimum number of trials by the trial rate (how many trials a computer can run per second). The maximum time is calculated by dividing the maximum number of trials by the same trial rate. The value of 5,000,000,000 used on this website comes from the current upper echelon (as of 2023) for desktop computers.

A Python script that runs this algorithm can be downloaded by clicking here.

NOTE: This algorithm does not consider common passwords like "1234", "password", or "abc"; which can be cracked instantly if an attacker simply cycles through a list of common passwords.