Password Strength Educational Heuristic
Do not enter an actual password. Describe only its length and broad characteristics. This page explains oc-password-heuristic-v1, an OverCalculator educational score; NIST does not define or endorse it, and a high result is not a security guarantee.
Entries and scoring rules
Enter an integer length from 1 to 128. The starting description is 14 characters with uppercase, lowercase, numbers, and special characters selected, and all four pattern flags off.
Length contributes 40 points at 16+, 30 at 12–15, 15 at 8–11, and 0 below 8. Each selected character class contributes 10 points. Common patterns subtract 20; repeated, sequential, and keyboard patterns each subtract 10.
The selected pools contain 26 lowercase, 26 uppercase, 10 numeric, and 33 special characters. Under a uniform-random assumption:
The score adds the smaller of 20 or the whole-number result of bits divided by 4, then is limited to 0–100. The crack-time label uses 2^bits/10^10 seconds as an offline toy scenario.
For the starting description, pool size is $26+26+10+33=95$ and the estimate is 14 log₂(95)≈92.0 bits. Length gives 30 points, the four classes give 40, and the capped search-space addition gives 20, for 90/100 and “Centuries or more.” A one-character description with all four classes selected gives 41/100 yet “Under one day,” illustrating why the score and toy time label answer different arithmetic questions.
Interpretation and action checklist
- Human-chosen text and known patterns violate the uniform-random model.
- Hash design, hardware, dictionaries, rate limits, and compromised-password data can radically change guessing outcomes.
- Do not use this score to certify a credential or compare two real secrets.
- Use a password manager where appropriate and check the service’s actual requirements.
- Follow verifier guidance on sufficient length and blocking common or compromised values rather than treating mandatory character mixtures as proof of strength.
The next task is to create or store a credential through a trusted password manager or service workflow—not to paste it into this educational tool.
Source
- NIST, SP 800-63B-4 final (2025), section 3.1.1.2 — US federal password-verifier guidance; it does not define or endorse this calculator’s score.