Password Strength Checker — How Strong Is Your Password?

Why Password Strength Matters More Than Ever

Billions of username/password pairs from data breaches are publicly available. Attackers do not need to crack your password if it appeared in a previous breach — they simply look it up in a credential database and try it on every other site you use. Even passwords that have never been breached are at risk from offline attacks: when an attacker obtains a hashed password database, modern GPUs can test tens of billions of guesses per second.

Password strength is not about meeting arbitrary complexity requirements. It is about having enough entropy that brute-force and dictionary attacks are computationally infeasible. The password strength checker calculates that entropy directly and translates it into a crack time estimate you can actually reason about.

How Password Strength Is Measured

The checker evaluates passwords across two dimensions: mathematical entropy and pattern analysis.

Entropy

Entropy measures how many possible passwords an attacker must search. The formula is: entropy = length × log₂(charset size). Charset size grows with each character type added:

A 12-character password using all four types has approximately 78 bits of entropy. At 10 billion guesses per second, exhausting 2^78 possibilities would take around 950 million years. In practice, attackers never reach exhaustion — they use dictionaries, rules, and probability models that crack predictable patterns far sooner. This is why pattern analysis matters alongside entropy.

Pattern Analysis

The checker tests for patterns that reduce the practical security of a password below what its entropy suggests:

• Common passwords — any password appearing in major breach datasets is tested first, regardless of its entropy.
• Repeated characters — three or more consecutive identical characters (aaa, 111) are easy targets for rule-based crackers.
• Sequential patterns — keyboard walks (qwerty, asdf) and numeric sequences (123, 456) are in every cracker's default ruleset.
• Character substitutions — replacing letters with similar-looking numbers (3 for e, 0 for o) is one of the first mutations applied.

What Each Strength Level Means

Building Stronger Passwords

Length Is the Biggest Lever

Each additional character multiplies the search space by the charset size. Going from 8 to 12 characters on a lowercase-only password adds 4 × 4.7 = 18.8 bits of entropy — equivalent to adding an entire character type. If you can only change one thing, make your passwords longer. Aim for 12 characters minimum; 16+ for important accounts.

Passphrases Balance Strength and Memorability

Four or more random words — like "timber-lantern-frozen-desk" — produce high entropy while remaining memorable. Each word adds approximately 11 bits of entropy (assuming a 2048-word dictionary), so four words gives 44 bits from word selection alone, plus positional entropy from how many words there are. NIST SP 800-63B explicitly endorses passphrases as a strong, user-friendly alternative to complex short passwords.

Use a Password Manager

The only sustainable way to have a unique, strong password on every account is to let a password manager generate and store them. A generated 20-character password from a manager would score "Very Strong" in this checker and is impossible to remember — which is precisely the point. Pair it with TOTP-based 2FA for accounts that support it, so a stolen password alone cannot grant access.

Check Breach Exposure

A technically strong password that appeared in a previous breach is effectively compromised. Services like Have I Been Pwned (haveibeenpwned.com) let you check a password against known breach datasets using a k-anonymity model — only the first 5 characters of the SHA-1 hash are transmitted, so the actual password is never exposed.

Common Questions

Is the password I type into this tool safe?

Yes. The password strength checker runs entirely in your browser. No network request is made when you type — the analysis happens locally in JavaScript using only your device's memory. The password is not stored, logged, or transmitted anywhere.

Does complexity matter as much as length?

Both matter, but length has a larger effect per unit of effort. A 16-character all-lowercase password has more raw entropy than an 8-character password using all four character types. However, adding character types also defends against dictionary and rule-based attacks that target predictable patterns. The optimal approach is both: long and mixed.

Why do some sites require special characters but reject certain ones?

Many password policies are based on outdated guidance (NIST SP 800-63B has since been updated to discourage arbitrary complexity rules in favour of length). Sites that reject certain special characters often do so to avoid SQL injection or HTML injection bugs in their own password handling — a sign of poor security practice on their end, not a meaningful security control.

What is the strongest type of password?

A long, random string generated by a cryptographically secure random number generator — like those produced by the password generator on this site. True randomness means no patterns for a cracker to exploit. A 20-character fully random password using all ASCII printable characters has ~131 bits of entropy — effectively uncrackable by any currently known technology.