The passive aggressive password strength meter

We’re all familiar with websites that try to help you choose a stronger password – grading it weak, average or strong.

Twitter password

By the way, they’re not always great judges of whether a password is really strong or not.

For instance, some password strength checkers consider any password with more than X number of characters to be strong, even if they are the same character repeated over-and-over again, or even if the password is 1234567890.

Sign up to our free newsletter.
Security news, advice, and tips.

And some of the password strength checkers built into websites won’t check if your password is an obvious common choice like passw0rd.

Hopefully, by now, you have recognised that it’s better to get a password management utility like 1Password, KeePass or LastPass to generate random, complex passwords for you… and then remember them securely, so you don’t have to.

If you have configured those tools properly, you should never again experience a website being rude about the quality of your password.

But, if you hanker for the old days, you might like this.

PaP is The Passive Aggressive Password Machine, a neat website created by New York-based web designers Tim Holman and Tobias van Schneider.

What I liked about PaP is its caustic collection of putdowns which will happily insult the quality of your passwords until the cows come home.

Passive aggressive password meter

Obviously, I don’t recommend entering your real passwords onto the site – but it is a bit of fun.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

7 comments on “The passive aggressive password strength meter”

  1. Sarah

    Well really – if they're going to make unkind comments about people's passwords, the least they can do is spell them correctly. I'm frankly disstressed, dissmayed, and more than a little disstraught.

    1. Graham CluleyGraham Cluley · in reply to Sarah

      What's extraordinary is that they were able to spell "passive aggressive" properly.

  2. Carson

    Glad to see Zaphod is alive and well and finally getting a Twitter account. Was about time.

    1. Graham CluleyGraham Cluley · in reply to Carson

      I think he just wants to reassure everyone he's okay, after that mix-up with Justin Bieber's car.

  3. Reeeee

    My passwords are TRASH

  4. none of your business

    this is an insult to my life and my soul

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.