depends on what you believe

length beats complexity

so if you take length and the character set in consideration -> lets assume ascii for this example and only the letters in upper and lowercase.

you have 54 possibilities per position so based on the length it can be

54^8 = 7,230196134×10¹³ possibilities

54^4 = 8503056 possibilities

so the complexity idea is to increase the base by "special characters and numbers" which allows you to keep shorter passwords which are harder to bruteforce.

68^4 = 21381376 possibilities

as you see that increasing the base does make it harder, still it's safer to just write a password sentence like "inmyopinionilikebatmanmorethansuperman" which would be

54^38 = 6,775835802×10⁶⁵ possibilities

so basically you can take those ranges and define ranges like "0-4 chars weak" "5-8 chars medium" "5-8 chars plus one number and one specialcharacter safe enough" > "good password"

basically you first check the length > than the alphabet and if it's above a certain number of possibilities you say it's safe :) .....

i would recommend a lib for that :)

@chilimatic described the basics in great detail and lots of simple strength checkers work like that. You can improve the strength checker by

• adding password entropy calculations, which defines the password strength in bits
• adding a blacklist of passwords, which contains most-used passwords
• adding variety-checks, which do common transformations on the blacklisted passwords and add those to the blacklist (for example changing a to @)
• making sure the password does not contain the user name

In general, just think like a person who wants to crack into an account. What kind of stuff would you try?