Password Pattern Checker
Strength
Strong
How it works
A password pattern checker analyzes a password's structure — not just its character set — to identify predictable patterns that reduce its practical entropy despite appearing complex. Passwords like "P@ssw0rd1!" score high on basic complexity checkers (uppercase, lowercase, digit, symbol) but have near-zero entropy because they follow well-known substitution patterns.
**What pattern analysis detects** Leet-speak substitutions: a→@, e→3, i→1, o→0, s→$ — all are in every dictionary attack wordlist. Common word bases with affixes: "password123!", "monkey2024", "Summer2023" — attackers use base-word lists with rule-based mutation. Keyboard patterns: "qwerty", "1234", "zxcvbn" — included in all modern cracking tools. Repeated characters: "aaaaaa", "111111" — minimal entropy. Date patterns: "01/15/1990", "19900115" — birthdate formats are systematically tried. Numeric suffixes: adding "1", "123", or the current year to a word is the most common user behavior and the first mutation rule applied.
**zxcvbn-style scoring** The Dropbox password strength estimator zxcvbn uses pattern matching (dictionary + date + sequence + repeat + keyboard) to estimate the number of guesses required, producing a score of 0–4. It catches patterns that naive complexity checkers miss. This tool applies similar heuristics.
**Practical guidance** A 4-word diceware passphrase (e.g., "correct horse battery staple") has more entropy than "P@$$w0rd2024" and is far easier to remember. Length beats complexity.
Frequently Asked Questions
- Complexity requirements (uppercase + lowercase + digit + symbol) were designed to increase entropy, but they failed to account for predictable substitution patterns. 'P@ssw0rd1!' directly maps from 'Password1!' using the most common leet-speak substitutions (a→@, o→0) — all of which are in every password cracking dictionary and every rule set in tools like Hashcat. The pattern is so common that it is tried in the first few thousand attempts in any dictionary attack, before brute force even begins.
- zxcvbn (Dropbox, 2012) is a password strength estimator that uses pattern matching rather than character set counting. It detects: dictionary words (English, names, common passwords), leet-speak mutations, keyboard patterns (qwerty, 12345), date patterns, repetition, and sequences. It estimates the number of guesses required and maps to a 0–4 score: 0 (too guessable, <1000 guesses), 1 (<1M), 2 (<100M), 3 (<10B), 4 (strong). zxcvbn is available as an npm package and is used by GitHub, Dropbox, and many others.
- Against offline attacks (cracked hash with GPU): a random 12-character alphanumeric password (72 bits of entropy) provides strong security today. A 16-character random alphanumeric (95 bits) is computationally infeasible to crack with current technology. For passphrases: 4 random diceware words (51 bits) is adequate for most purposes; 6 words (77 bits) for high-security accounts. The critical factor is randomness — a 20-character password with a predictable pattern is weaker than a 12-character truly random one.
- A password manager generates a random string like 'X7#kP2mQ9nR5' — high entropy, impossible to remember without the manager. A diceware passphrase ('correct horse battery staple') is equally random (if generated by rolling physical dice) but human-memorizable. The entropy is comparable: 4 diceware words from a 7776-word list = log₂(7776^4) ≈ 51 bits; a 10-char random alphanumeric = ~60 bits. For master passwords you must memorize, diceware is preferable; for all other passwords, use a manager.