Password Strength Checker – Frequently Asked Questions

The Password Strength Checker evaluates passwords using multiple independent signals, including entropy calculations, character composition, pattern detection, known breach intelligence, real-world attack modelling, and NIST SP 800-63 compliance checks. This provides a far more accurate assessment than simple length or character rules.

Entropy measures how unpredictable a password is. Higher entropy means more possible combinations an attacker must try, dramatically increasing the time required to crack the password. Entropy is calculated based on length and character diversity, but also adjusted for predictability caused by patterns or substitutions.

Length is one of the strongest contributors to password security, but it is not sufficient on its own. A long but predictable password can still be weak. Modern guidance, including NIST SP 800-63B, recommends prioritising length while also rejecting breached or predictable passwords.

Composition analysis evaluates whether a password contains lowercase letters, uppercase letters, digits, and symbols. While NIST no longer mandates composition rules, their presence increases entropy and resistance to brute-force attacks.

The tool detects repeated characters, sequential patterns, keyboard walks, and common substitutions such as replacing letters with numbers. These patterns significantly reduce effective entropy and make passwords easier to guess using specialised attack techniques.

Attackers explicitly model common substitutions. Replacing letters with visually similar symbols or numbers does not meaningfully increase security and is often flagged as predictable behaviour in password cracking tools.

Passwords are checked against known breach datasets using a privacy-preserving k-anonymity model provided by Have I Been Pwned. Only partial hashes are exchanged, ensuring the original password is never exposed or stored.

Have I Been Pwned is a widely trusted breach intelligence service that aggregates data from known breaches. Using it helps prevent users from reusing passwords that attackers already possess.

The tool simulates random brute-force attacks and dictionary-based attacks informed by known breach data. It estimates time-to-crack using realistic guesses-per-second values rather than theoretical limits.

This means that even with modern hardware and realistic attack models, the estimated time required to brute-force the password exceeds practical limits, often measured in many billions of years.

The overall risk combines entropy, breach exposure, detected patterns, and attack feasibility into a single classification. A password may have high entropy but still be high-risk if it has appeared in known breaches.

NIST SP 800-63 is a U.S. government standard defining digital identity and authentication security. It is widely adopted globally and emphasises length, breach checks, and usability over outdated complexity rules.

The tool checks minimum length requirements, verifies that the password has not appeared in known breaches, and confirms that no forbidden patterns are present. Composition rules are not required under NIST guidance.

The score is a simplified ranking derived from the full analysis. It is useful for UI display but should always be interpreted alongside warnings, risk level, and attack estimates.

No. Passwords are analysed in memory only and are never stored, logged, or persisted in any form by Velohost.

Yes. The API is designed for signup validation, password changes, audits, and automated security enforcement. It is suitable for production use when combined with proper hashing and storage practices.

No. This tool evaluates password strength before storage. Passwords must still be hashed using a secure algorithm such as Argon2, bcrypt, or scrypt before being stored.

No. While the tool aligns with widely accepted standards, organisations remain responsible for meeting their own regulatory and legal requirements.