Security Tool

Password Strength Checker

Test any password instantly. See entropy, estimated crack time, and what to fix — everything runs in your browser, nothing is ever sent anywhere.

Home / Tools / Password Strength Checker

Your password never leaves your device — analysis is 100% client-side.

Strength
Length
Entropy (bits)
Est. Crack Time

Character Analysis

Lowercase letters (a–z) 0
Uppercase letters (A–Z) 0
Numbers (0–9) 0
Symbols (!@#$%…) 0
No repeated patterns
No sequential runs (abc, 123)

Recommendations

Start typing to see personalised recommendations.

Understanding Password Strength

What Does "Entropy" Mean?

Entropy measures how unpredictable your password is — expressed in bits. Each bit doubles the number of possible combinations an attacker must try. A password with 60 bits of entropy has over a quintillion possible values. At 80+ bits, brute-force attacks become computationally infeasible with modern hardware. Our checker calculates entropy based on your actual character set size multiplied by password length.

How Crack Time Is Estimated

Crack time is estimated assuming an attacker using a modern GPU rig capable of billions of hash checks per second — a realistic threat model for leaked credential databases. The estimate assumes random guessing (brute force). Dictionary attacks against common words or patterns are faster, which is why using real words, names, or keyboard walks dramatically lowers your effective strength even at longer lengths.

Why Patterns Weaken Passwords

Sequential runs like abc, 123, or qwerty and repeated characters like aaa are among the first patterns attackers test. Many hacking dictionaries include thousands of common patterns and their variants. Even a technically long password like password123! scores poorly because it follows a predictable structure that appears in breach databases.

Length vs. Complexity

Length wins in the long run. A 20-character lowercase-only password has more entropy than a 10-character password using every character type. The ideal approach combines both: 16+ characters drawn from uppercase, lowercase, numbers, and symbols gives you the strongest possible result. For passwords you need to type manually, a 4–5 word passphrase achieves high entropy while remaining memorable.

Frequently Asked Questions

No. All analysis runs entirely inside your browser using JavaScript. Your password is never transmitted to any server, logged, or stored in any form. You can verify this by disconnecting from the internet and retesting — the tool works completely offline once the page is loaded.
For everyday accounts, aim for "Strong" (60+ bits of entropy, 12+ characters with mixed types). For high-value accounts like email, banking, and password managers, target "Very Strong" (80+ bits, 16+ characters). Anything rated "Weak" or "Fair" should be replaced before it appears in a data breach.
Length alone isn't enough if the password uses a predictable structure. Passwords made from real words, keyboard patterns (like qwerty or zxcvbn), repeated characters, or common substitutions (3 for E, @ for A) are detected and penalised. True strength requires genuine randomness across a wide character set — which is exactly what a password generator provides.
Yes — the checker is fully client-side and safe to use with real passwords. That said, if any account is already secured with a password you've used for a long time, consider running it through Have I Been Pwned to check if it has appeared in a known data breach, regardless of its strength score.
Crack time is estimated using a brute-force model that assumes 10 billion guesses per second — representative of a modern GPU password-cracking rig. The formula is: (character set size ^ password length) / guesses per second. The result is a conservative estimate; targeted attacks using dictionaries or leaked databases can be faster against non-random passwords.