Still,without performing password-penetration tests against them, I have a hard time demonstrating to clients how weak mere six- to eight-character passwords really are. I enjoy performing these tests (usually I'm able to break most passwords in under three days, if not in hours), but my contract often prevents me from attempting them. Thus, I decided the next best thing was to create a spreadsheet-based calculator in which you can key in your current password policy and see how your passwords might hold up against the number of guesses an attacker can make in a given minute. Download the spreadsheet.
Cracking open passwords
As far as I know, this is the only password calculator that shows the success rate of real-world password-guessing attacks. A password's pure strength lies in its length, the number of possible characters or symbols it contains (called the character set), and the randomness of character selection. If you want to determine the number of possible passwords for a given length and character set, just calculate the number of possible characters in the character set to the power of its length (characters^length). This will give you all the possible password choices or password space.
However, this theoretical number assumes that users will avail themselves of all possible password choices (called perfect randomization). This is usually a horrible assumption unless a very good random generator creates the user's password. Most users pick passwords that contain portions, if not complete, words and names from their language. In fact, for a large majority of users, portions of their password can be ascertained with pretty good accuracy by the average password guesser.
Most professional password guessers know there is a 50 percent chance that a user's password will contain one or more vowels. If it contains a number, it will usually be a 1 or a 2, and it will be at the end. If it contains a capital letter, it will be at the beginning, followed by a vowel. The average person has a working vocabulary of 50,000 to 150,000 words, and they are likely to be used in the password. Women are famous for using personal names in their passwords, and men opt for their hobbies. "Tigergolf" is not as unique as CEOs think. Even if you use a symbol, an attacker knows which are most likely to appear: ~, !, @, #, $, %, &, and ?.