Type a password to see its length, which character classes it uses, and its charset entropy in bits. The verdict is honest: it lowers the score when it spots a dictionary word, a date, a repeat, or a keyboard walk, because the raw math is an upper bound, not a promise.
A password's charset entropy is a tidy number: count the size of the character pool it draws from, take the base two logarithm, and multiply by the length. Each bit doubles the search space, so the figure feels like a hard measure of safety. It is not. That formula only holds if every character was chosen at random. A real attacker never guesses at random. They start with leaked password lists, then run dictionaries, then apply rules that try a capital first letter, a trailing year, and the obvious letter to number swaps. Against that, Summer2024! looks like four character classes and a healthy bit count, yet it is a word, a year, and a symbol in the single most predictable order there is, so it falls far faster than the math claims.
That is the whole reason this tool reports entropy and then second guesses it. The bit count is shown as an upper bound on strength. The verdict on top of it drops when a dictionary word, a date, a repeat, or a keyboard walk like qwerty shows up, because each of those collapses the real search space an attacker has to cover.
Adding one more character to a password helps more than swapping a letter for a symbol. Length multiplies the search space for every position, while a single clever substitution adds almost nothing once an attacker's rule set knows the trick. This is why a long passphrase of several unrelated words can be both stronger and easier to remember than a short string of mixed symbols. Four random common words sit in a search space so large that brute force is hopeless, and you can actually recall it. The mistake is choosing related words or a quote, which a dictionary phase guesses cheaply.
The strongest single password still fails you if you use it twice. When any one site leaks its stored passwords, attackers replay those exact credentials against every other service, a move called credential stuffing. One reused password turns a single breach into access to your email, your bank, and everything tied to them. Uniqueness per account is what contains the blast radius, and it is the property humans are worst at maintaining by hand. The relationship between proving who you are and what you are allowed to do is covered in our note on authentication versus authorization.
A password manager generates a long random unique password for every account and remembers all of them, so you never reuse, never pick a word, and never have to invent entropy in your head. That single habit defeats both dictionary guessing and credential stuffing at once, which is more than any rule about symbols can do. Pair it with a strong passphrase for the vault itself and multi factor authentication on the accounts that matter. For how these access decisions fit the wider picture, see our access control writing and the web security glossary.
The strength label runs from Very weak to Very strong. It starts from the charset entropy, then applies penalties for the patterns that make a password guessable in practice, so a dictionary or pattern hit can hold a high bit count well below Strong. The crack time figure is a rough illustration only, computed under one stated assumption about offline fast hash guessing, not a promise about any real attacker. Reasoning about whether a credential is actually safe in context, rather than pattern matching one string, is the kind of judgment an AI security testing approach brings, and it sits inside the broader subject of web application security.