PublicSoftTools
Tools16 min read·PublicSoftTools Team·May 2026

Password Strength Checker — Test Your Password Security

Not all passwords are created equal. "P@ssw0rd" meets most complexity requirements but appears in every attacker's dictionary. A 16-character random lowercase string is more secure despite containing no symbols. The free password strength checker on PublicSoftTools analyses your password for length, character diversity, dictionary words, patterns, and estimated crack time — all processed locally in your browser. Your password is never sent to a server.

How to Use the Password Strength Checker

  1. Open the password strength checker.
  2. Type or paste a password into the input field. The analysis runs instantly as you type.
  3. Results show: overall strength rating (Weak / Fair / Good / Strong / Very Strong), estimated crack time, entropy in bits, and specific weaknesses detected.
  4. The checker flags: dictionary words, keyboard patterns, personal-looking patterns, length issues, and missing character types.
  5. Use the feedback to improve the password, or switch to the password generator to create a strong random one.

What Makes a Password Strong

FactorImpact on strengthExplanationThreshold
LengthVery highEach additional character multiplies the search space. Going from 10 to 16 characters is more impactful than adding all character types.Minimum 12; recommended 16+; critical accounts 20+
Character set sizeHighLowercase only (26 chars) vs all printable ASCII (95 chars). More character types = larger search space per character.Include uppercase + lowercase + numbers + symbols for maximum strength
Dictionary wordsNegativeAttackers try dictionary words and common phrases first. "Password123!" appears in every wordlist despite meeting complexity rules.No complete dictionary words; use random character strings or random word passphrases
Keyboard patternsNegativeqwerty, asdfgh, 123456, and keyboard walks are in every attack dictionary regardless of how complex they look.No sequential keys, adjacent keys, or predictable keyboard paths
Personal informationNegativeName, birthdate, pet name, address — all findable via social media. Targeted attacks test these first.Zero personal information in any form
Leetspeak substitutionsLow to negativep@ssw0rd, pa$$word — these substitutions are in all modern attack dictionaries. They add negligible security.Substitutions count as weak unless truly random (not a → @ substitution)
UniquenessHigh (systemic)A strong password reused across sites means one breach compromises all. Uniqueness prevents credential stuffing.Every account has a unique password — use a password manager
Breach database appearanceCritical negativeIf your password has appeared in a data breach, it is in attacker wordlists. Even if it was strong, it is now compromised.Never use a password found in breach databases (have i been pwned)

How Attackers Crack Passwords

Attack methodHow it worksSpeedEffective against
Brute forceTry every possible combination of characters100 billion/second (GPU cluster)Against short passwords (≤8 characters); impractical above ~12 characters with full character set
Dictionary attackTry words from dictionaries and known password listsVery fast; billions/secondCommon words, names, and passwords from previous breaches; adds years to crack time if genuinely random
Hybrid attackDictionary words + rule-based transformations (append numbers, capitalise first letter, leetspeak)FastCovers Password1!, P@ssw0rd, and millions of similar variations that users think are clever
Credential stuffingUse username/password pairs from previous data breachesN/A (not cracking — direct login)Against reused passwords; 65%+ of breaches involve reused credentials
Rainbow tablePrecomputed hash-to-password lookupsInstant lookups (storage-intensive)Against unsalted hashes; modern systems use salted hashing which defeats rainbow tables entirely
Targeted guessingHuman attacker tries personal information: names, dates, pet names, addressesManual; hours to daysAgainst passwords containing personal information found via social media or OSINT

Entropy: The Mathematics of Password Strength

Password entropy measures the unpredictability of a password in bits. Higher entropy = more possible combinations = harder to crack. The formula:

Entropy (bits) = log₂(charset_size^length) = length × log₂(charset_size)

At 128 bits of entropy, brute-force cracking is computationally infeasible with current technology. The practical targets: 60+ bits for low-risk accounts; 80–100 bits for most accounts; 128+ bits for critical accounts (email, banking, password manager).

Important: entropy assumes a truly random password. Patterns and dictionary words dramatically reduce effective entropy even if the measured bit count looks high — "Password123!" has theoretical entropy around 70 bits but practical entropy of near zero because it appears in every attack list.

Crack Time Estimates

Crack time estimates are approximate and depend heavily on the attack scenario:

Password Strength vs. Memorability

There is a real tension between the strongest possible password and one you can actually remember. Strategies for resolving this:

Common Questions

Why does the checker say my complex password is weak?

Complexity rules (must have uppercase, number, symbol) are a poor proxy for security. A password like "Tr0ub4dor&3" has uppercase, numbers, and a symbol — but it's a word ("troubadour") with predictable substitutions, and it appeared in a famous xkcd comic illustrating this exact point. The checker measures actual unpredictability, not whether boxes are ticked. Dictionary words with substitutions are in every attacker wordlist; the checker correctly rates them as weak even when they pass complexity tests.

Is it safe to type my real password into this checker?

The checker runs entirely in your browser using JavaScript — your password is not transmitted to any server. You can verify this by checking your browser's network requests while typing (browser DevTools → Network tab). No requests are sent. That said, as a general security practice, avoid typing real passwords into third-party tools you have not audited. For testing purposes, type a variation or an approximate version of your password to test the pattern without exposing the exact credential.

What should I do if my password is rated as weak?

Use the password generator to create a strong replacement immediately, store it in your password manager, and update the account. If the weak password was used on multiple sites (password reuse), update it everywhere it was used — credential stuffing means one breach compromises all accounts sharing that password. Check whether your email address has appeared in known breaches via haveibeenpwned.com — if so, prioritise updating passwords for those affected services.

Check Your Password Strength

Instant analysis of length, entropy, patterns, and estimated crack time. Your password stays in your browser — never sent to a server.

Open Password Strength Checker