How Password Strength Meters Actually Work

Published June 2026 · 6 min read

You've seen them everywhere — password strength meters that display "Weak," "Medium," or "Strong" as you type. But how accurate are they? Why does one site show "Very Weak" for the same password that another site calls "Excellent"? And how can a password like "P@ssw0rd!" — which is cracked in under a second — sometimes get a green bar? Understanding what's happening under the hood will help you distinguish between meters you can trust and ones that give dangerous false confidence.

The Two Philosophies: Entropy vs. Pattern Detection

Every password strength meter falls into one of two camps (or tries to combine both):

Entropy-Based Meters

Entropy meters calculate strength purely from character composition. They count the password length, note which character sets are used (lowercase, uppercase, digits, symbols), and compute a theoretical entropy value: log₂(character_set_size ^ password_length). An 8-character password with uppercase, lowercase, and digits would have log₂(62⁸) = 47.6 bits of entropy.

The problem: entropy-based meters treat every character as equally unpredictable. "aaaaaaaa" and "xK9#mP2$" with the same length and character sets get the same score, even though the first is trivially guessable and the second is moderately strong. These meters commonly give "Strong" ratings to "Password1!" or "Qwerty123" — passwords that every cracking tool tries in the first few thousand guesses.

Pattern-Detection Meters (zxcvbn and Friends)

The most popular advanced meter is zxcvbn, developed by Dropbox in 2012 and now widely adopted (it's used by Bitwarden, 1Password, and many others). Instead of naive entropy, zxcvbn simulates what a real attacker would do. It maintains:

• A ranked dictionary of common passwords, common words, and their common substitutions
• Pattern matchers for dates, repeated characters, keyboard walks (like "qwerty" or "1qaz2wsx"), sequences, and l33t speak
• An estimate of the number of guesses needed to crack the password, then converts that to a score (0–4)

When you type "P@ssw0rd!", zxcvbn sees: the dictionary word "password" (rank ~200 in common passwords), the "a" → "@" substitution pattern, the "o" → "0" substitution pattern, and the trailing "!" — all of which it recognizes as trivial transformations. Its score: 0 or 1 out of 4. The naive entropy meter, by contrast, sees 9 characters with 3+ character sets and gives it a green bar.

Why Some Sites Show Green for 'password123'

There are three main reasons a meter might lie to you:

1. Naive entropy calculation: The meter only counts character variety and length. "Password123" uses uppercase, lowercase, and digits across 12 characters — 72 bits of "entropy" in a naive model. A real attacker tries it in the first 100 guesses because it's in every cracking dictionary.
2. No dictionary check: The meter doesn't compare the password against a list of known common passwords. If it did, it would flag "password123" immediately.
3. Business incentive: Some websites — particularly those with weak password policies — intentionally use generous meters to avoid frustrating users who want to use weak passwords. Overly strict meters can cause users to abandon signup, so some sites err on the side of "good enough" to reduce friction.

How zxcvbn Works Under the Hood

zxcvbn is a fascinating piece of security engineering. Here's the step-by-step process it follows:

1. Dictionary matching: It checks the password (and all substrings) against multiple dictionaries: common passwords (10,000+ entries), common words from English and other languages, common names, and common surnames.
2. Substitution detection: It applies common l33t maps (a→@, o→0, e→3, s→$, i→1, t→7) and checks if the substituted string matches dictionary entries.
3. Graph matching: It detects keyboard patterns — adjacent keys on QWERTY, Dvorak, and numeric keypads.
4. Sequence matching: It detects repeated characters (aaa), sequential characters (abcd, 1234), and repeated patterns (abcabc).
5. Date matching: It checks for common date formats (1987, 01-01-2000, etc.) using sliding windows over 4-, 6-, and 8-character substrings.
6. Spatial matching: Similar to keyboard patterns but also covers phone keypads and other input layouts.
7. Minimum entropy estimation: For each possible way of segmenting the password, it calculates the "cost" in guesses, then picks the most efficient path — representing the smartest possible attacker.

The result is an estimated guesses needed value, which maps to a score:

• 0 (Too guessable): < 10³ guesses — risky passwords, might be cracked instantly
• 1 (Very guessable): < 10⁶ guesses
• 2 (Somewhat guessable): < 10⁸ guesses
• 3 (Safely unguessable): < 10¹⁰ guesses
• 4 (Very unguessable): ≥ 10¹⁰ guesses

Common Weaknesses in Password Meters

Even advanced meters like zxcvbn have limitations:

• No context awareness: No meter knows if you've reused this password on other sites, if it's been exposed in a data breach, or if it's your personal email password.
• No knowledge of your personal information: A meter can't know that "Fido1984" is your dog's name and birth year — information that an attacker with access to your social media would know to try.
• Static dictionary updates: New common passwords and cracking techniques emerge all the time. A meter's dictionaries must be regularly updated to stay relevant.
• False sense of security at high scores: A score of 4/4 doesn't mean the password is unhackable — it means it's harder to crack with current techniques. Future quantum computing advances or novel cracking methodologies could reduce that security.

How PassGenerator's Strength Meter Differs

The PassGenerator strength meter combines zxcvbn-style pattern detection with additional checks:

• Breach database lookup — optional check against known leaked passwords via the Have I Been Pwned API (k-anonymity model: only the first 5 characters of the SHA-1 hash are sent, ensuring your password never leaves your device).
• Real-time entropy display — showing both pattern-based and naive entropy so you can see the difference.
• Character-set diversity scoring — flagging passwords that rely on only one or two character types.
• Keyboard-walk detection — catching adjacent-key patterns across multiple keyboard layouts.

But the most important feature is one you won't find in any meter: PassGenerator always generates passwords that score 4/4 on zxcvbn. When you let a good generator create your passwords, you don't need a meter at all — every password is automatically strong.

---

← Back to PassGenerator