Your password looks fine. Here's what an attacker sees.

Strength meters tell you what you want to hear. This one tells you what your password is worth on a rented GPU. Type one you actually use — or one you're considering.

Local-only. Your input never leaves this page. No keystrokes are logged or transmitted.

Try a password

Awaiting input

Runs as you type. No button to press.

Or try one of these:

How this works

We estimate how many guesses an attacker would need (entropy, adjusted for common patterns and known breach lists), then divide by how fast modern cracking hardware can test those guesses for each hash algorithm. Hashrates are from public Hashcat benchmarks on a single NVIDIA RTX 4090. The AWS cost assumes an attacker rents GPU time on the spot market.

None of this proves a password is safe. A password that takes a trillion years to crack is worthless if the site that stored it leaked the plaintext. The attacker's job isn't always to guess; sometimes they just read.

Breach check

Waiting

Type a password above. We'll check it against a local snapshot of the most common leaked passwords.

Crack time by algorithm

If the site stored yours with...
Algorithm Status Crack time AWS cost
Type a password to see the breakdown.

Single-GPU estimates based on published Hashcat v6.2.6 benchmarks on an NVIDIA RTX 4090, scaled to AWS A10G spot rates. A serious attacker runs an 8×GPU rig — divide crack times by ~8 and multiply cost accordingly. Dedicated cracking services and state actors can go another one to two orders of magnitude faster.

What this means

Enter a password above to see the story.

What actually protects you

Password strength matters less than you think. Four things do more of the work than any character count:

  1. The site's hash algorithm. If they store with bcrypt, argon2, or scrypt, your medium-strength password might still be safe after a database dump. If they store with MD5 or SHA-1, even a strong one gets cracked overnight. You have zero control over this.
  2. Password reuse. One site leaks plaintext. Attackers try those credentials everywhere. This is how most account takeovers happen — not cracking, just typing.
  3. Multi-factor authentication. A password is one factor. Even a leaked one is useless against a working second factor. This is the single biggest thing you control.
  4. Password managers. Long, unique, random passwords per site are only practical with a manager. Trying to remember them is how we ended up with "Spring2025!" in the first place.

The password strength meter on most signup pages is security theater. The real question is whether the site owner did the work behind it. That's what you can't see — and what an assessment checks.

Your customers trust you with their passwords. Are you holding up your end?

Password storage is one of the easiest things to get wrong and one of the hardest to get caught on until it's too late. A SignumCyber assessment covers password storage, session management, and the 99 other things that turn a bad day into a breach-notification day.

Talk to an advisor

Your app hashes with bcrypt. Probably.