Password Strength Checker

Post-NIST-800-63-B (2017 guidance, updated 2024) password rules are simpler than what everyone was taught:

• Length > complexity. A 20-char passphrase beats a 10-char random string. correct-horse-battery-staple (XKCD) has ~44 bits of entropy — good for most sites.
• Skip mandatory rotation. NIST explicitly deprecated "change every 90 days" — it causes users to pick weak sequential passwords (Spring2026!, Summer2026!).
• Skip character-class requirements. "Must contain uppercase + number + symbol" forces memorable passwords like Password1! — low entropy. Let users pick.
• Do check breach databases. Integrate HaveIBeenPwned — reject passwords that have appeared in prior breaches. This is the single most important policy.
• Enforce 2FA instead of password complexity — TOTP, WebAuthn, passkeys. Actual security, not theater.

Entropy measures unpredictability in bits. Each bit doubles the brute-force time.

• Fully random password: entropy = log₂(alphabet_size^length). A 12-char alphanumeric password = log₂(62^12) ≈ 71 bits. A GPU farm doing 10 billion SHA-256 attempts/second takes ~7 years to brute-force.
• Dictionary word: entropy ≈ log₂(dictionary_size). English dictionary has ~40,000 common words = 15 bits. A 10-char word password = ~15 bits. Crackable in under a minute.
• Passphrase of 4 random common words: 4 × 15 = 60 bits. Takes hours to weeks (slower on bcrypt, faster on raw hashes).
• Password manager-generated 16-char random: ~95 bits. Brute force is infeasible.

Takeaway: use a password manager. Memorable passwords are weak; strong passwords are unmemorable. The resolution is generated-and-stored.