Take the password Senha123!. It has everything they told you to use forever: an uppercase letter, a number and a symbol. Looks strong. And it cracks in about 10 seconds if the site's database leaks. Password1! is even worse: it cracks instantly. The truth is a little embarrassing: most of the “password rules” we learned don't measure security at all.
I wanted to see that with a number on it — and to have an honest way to explain to a client why “the password has a symbol” isn't an argument. So I built PassGuard.
Why doesn't password “complexity” equal security?
What makes a password hard to crack isn't a ! at the end — it's being unpredictable. That's measured in bits of entropy. And here's the first trap: the raw entropy math also lies when there's a human pattern.
- The complexity myth.
Senha123!uses 4 character types over 9 positions — raw math says almost 60 bits, “strong”. But a real attack doesn't test character by character: it tests words + suffixes first. The real search space is far smaller. - Patterns you don't even notice. Sequences (
abcd,1234), keyboard runs (qwerty), repetition (aaaa), a year at the end (2024) — each one drops the strength again. - Same password, two fates. This is what almost nobody mentions: crack time depends on how the site stores your password. On a rate-limited login,
Senha123!lasts “years”. But if the database leaks and the password was on a fast hash, it falls in seconds. And that's out of your control.
The solution: PassGuard, no fluff
PassGuard measures real entropy and discounts the human patterns that shrink the search space — so Senha123! drops from “almost strong” to Reasonable (41 bits), and the meter calls out the pattern. And the trick: it shows crack time across three scenarios — and reveals that this same “reasonable” password falls in ~10 seconds under a leak. That's the single number that fools you.
It's free, no signup, and runs 100% in the browser — your password is never sent anywhere and nothing is saved.
What does PassGuard measure and show?
- Entropy in bits + an honest meter. The score reflects real strength, patterns already discounted.
- What's weak. It names the pattern: “common word + suffix”, “sequence”, “keyboard”, “repetition”, “year”.
- Three attack speeds. The same password: rate-limited site (~1k guesses/s) · leak + GPU (fast hash, ~100 billion/s) · strong hash/bcrypt (~10k/s). That's where the difference shows.
- Actionable tips. What to add to level up, instantly.
How to actually have strong passwords
The summary I'd give any client:
- Length > complexity. A long passphrase (4–5 random words) beats
P@ssw0rd!easily — and is easier to remember. - A password manager. One unique, huge password per site, nothing to memorize. So one site's leak doesn't take down all the others.
- 2FA wherever you can. Even if the password leaks, the second factor holds the door.
Password strength is one piece of a bigger picture — if you run a website, it's worth reading the website security guide too.
FAQ
Isn't a password with a number and a symbol strong? Not always. Unpredictability is what matters, not the rules — “Senha123!” has a symbol and cracks in seconds.
How does it calculate? Charset entropy minus human patterns (word+suffix, sequence, keyboard, repetition, year) + crack time at 3 speeds.
Is it safe to type my password? Yes, it runs 100% in the browser (nothing sent or saved); still, test with a similar password.
Best way to have strong passwords? Long passphrases + a manager (one per site) + 2FA. Length beats complexity.