Implementation of Dropbox's password strength estimator zxcvbn, comparing the old algorithm to the new one. I built this because I love zxcvbn, but I'm not a fan of the changes to calculating complexity. The checks are performed locally on your machine, and you can disconnect your internet connection. Although I wouldn't blame you for not trusting it with your actual passwords.

Here are some rough guidelines for speeds of different attacks.

online attack on a service that ratelimits password auth attempts: 100 / hour

online attack on a service that doesn't ratelimit, or where an attacker has outsmarted ratelimiting: 10 / second

offline attack, proper user-unique salting, and a slow hash function, such as bcrypt, scrypt, PBKDF2: 10k / second

offline attack with user-unique salting but a fast hash function like SHA-1, SHA-256 or MD5: 10B / second