Skip to content
OverCalculator
  1. Home
  2. Personal Measurements
  3. Password Strength Educational Heuristic
Personal Measurements

Password Strength Educational Heuristic

Explore the named oc-password-heuristic-v1 score, uniform-random search-space estimate, and offline toy crack-rate scenario.

Published

Estimated strength
Very Strong
90/100
Very Strong
Estimated time to crack
Centuries or more
Estimated entropy
92.0 bits
Strengths found
5 strengths
Weaknesses found
0 weaknesses
Strengths
Strength
Good length (12+ characters)
Strength
Heuristic marks uppercase present
Strength
Heuristic marks lowercase present
Strength
Heuristic marks numbers present
Strength
Heuristic marks special characters present
Weaknesses
Suggestions

OverCalculator educational heuristic (oc-password-heuristic-v1); NIST does not define or endorse this score. Entropy assumes uniform-random draws from the selected pools. Crack time is an offline toy scenario at 10^10 guesses/s.

Estimate strength without entering the actual password.
characters

Results update as you type.

Password Strength Educational Heuristic

Do not enter an actual password. Describe only its length and broad characteristics. This page explains oc-password-heuristic-v1, an OverCalculator educational score; NIST does not define or endorse it, and a high result is not a security guarantee.

Entries and scoring rules

Enter an integer length from 1 to 128. The starting description is 14 characters with uppercase, lowercase, numbers, and special characters selected, and all four pattern flags off.

Length contributes 40 points at 16+, 30 at 12–15, 15 at 8–11, and 0 below 8. Each selected character class contributes 10 points. Common patterns subtract 20; repeated, sequential, and keyboard patterns each subtract 10.

The selected pools contain 26 lowercase, 26 uppercase, 10 numeric, and 33 special characters. Under a uniform-random assumption:

search-space bits=length×log2(selected pool size)\text{search-space bits}=\text{length}\times\log_2(\text{selected pool size})

The score adds the smaller of 20 or the whole-number result of bits divided by 4, then is limited to 0–100. The crack-time label uses 2^bits/10^10 seconds as an offline toy scenario.

For the starting description, pool size is $26+26+10+33=95$ and the estimate is 14 log₂(95)≈92.0 bits. Length gives 30 points, the four classes give 40, and the capped search-space addition gives 20, for 90/100 and “Centuries or more.” A one-character description with all four classes selected gives 41/100 yet “Under one day,” illustrating why the score and toy time label answer different arithmetic questions.

Interpretation and action checklist

  • Human-chosen text and known patterns violate the uniform-random model.
  • Hash design, hardware, dictionaries, rate limits, and compromised-password data can radically change guessing outcomes.
  • Do not use this score to certify a credential or compare two real secrets.
  • Use a password manager where appropriate and check the service’s actual requirements.
  • Follow verifier guidance on sufficient length and blocking common or compromised values rather than treating mandatory character mixtures as proof of strength.

The next task is to create or store a credential through a trusted password manager or service workflow—not to paste it into this educational tool.

Source

Frequently asked questions

Does NIST define this score?
No. This is the OverCalculator educational heuristic oc-password-heuristic-v1; NIST does not define or endorse this score.
What does entropy mean here?
It is a uniform-random search-space estimate under selected character-pool assumptions; human-chosen text and known patterns violate this model.
What does crack time mean?
It is an offline toy scenario at 10^10 guesses/s; hash, hardware, dictionaries, rate limits, and compromise data can change results.

Related calculators

Password Strength Educational Heuristic updated at