Password Strength Checker — Test Your Password Security
Not all passwords are created equal. "P@ssw0rd" meets most complexity requirements but appears in every attacker's dictionary. A 16-character random lowercase string is more secure despite containing no symbols. The free password strength checker on PublicSoftTools analyses your password for length, character diversity, dictionary words, patterns, and estimated crack time — all processed locally in your browser. Your password is never sent to a server.
How to Use the Password Strength Checker
- Open the password strength checker.
- Type or paste a password into the input field. The analysis runs instantly as you type.
- Results show: overall strength rating (Weak / Fair / Good / Strong / Very Strong), estimated crack time, entropy in bits, and specific weaknesses detected.
- The checker flags: dictionary words, keyboard patterns, personal-looking patterns, length issues, and missing character types.
- Use the feedback to improve the password, or switch to the password generator to create a strong random one.
What Makes a Password Strong
| Factor | Impact on strength | Explanation | Threshold |
|---|---|---|---|
| Length | Very high | Each additional character multiplies the search space. Going from 10 to 16 characters is more impactful than adding all character types. | Minimum 12; recommended 16+; critical accounts 20+ |
| Character set size | High | Lowercase only (26 chars) vs all printable ASCII (95 chars). More character types = larger search space per character. | Include uppercase + lowercase + numbers + symbols for maximum strength |
| Dictionary words | Negative | Attackers try dictionary words and common phrases first. "Password123!" appears in every wordlist despite meeting complexity rules. | No complete dictionary words; use random character strings or random word passphrases |
| Keyboard patterns | Negative | qwerty, asdfgh, 123456, and keyboard walks are in every attack dictionary regardless of how complex they look. | No sequential keys, adjacent keys, or predictable keyboard paths |
| Personal information | Negative | Name, birthdate, pet name, address — all findable via social media. Targeted attacks test these first. | Zero personal information in any form |
| Leetspeak substitutions | Low to negative | p@ssw0rd, pa$$word — these substitutions are in all modern attack dictionaries. They add negligible security. | Substitutions count as weak unless truly random (not a → @ substitution) |
| Uniqueness | High (systemic) | A strong password reused across sites means one breach compromises all. Uniqueness prevents credential stuffing. | Every account has a unique password — use a password manager |
| Breach database appearance | Critical negative | If your password has appeared in a data breach, it is in attacker wordlists. Even if it was strong, it is now compromised. | Never use a password found in breach databases (have i been pwned) |
How Attackers Crack Passwords
| Attack method | How it works | Speed | Effective against |
|---|---|---|---|
| Brute force | Try every possible combination of characters | 100 billion/second (GPU cluster) | Against short passwords (≤8 characters); impractical above ~12 characters with full character set |
| Dictionary attack | Try words from dictionaries and known password lists | Very fast; billions/second | Common words, names, and passwords from previous breaches; adds years to crack time if genuinely random |
| Hybrid attack | Dictionary words + rule-based transformations (append numbers, capitalise first letter, leetspeak) | Fast | Covers Password1!, P@ssw0rd, and millions of similar variations that users think are clever |
| Credential stuffing | Use username/password pairs from previous data breaches | N/A (not cracking — direct login) | Against reused passwords; 65%+ of breaches involve reused credentials |
| Rainbow table | Precomputed hash-to-password lookups | Instant lookups (storage-intensive) | Against unsalted hashes; modern systems use salted hashing which defeats rainbow tables entirely |
| Targeted guessing | Human attacker tries personal information: names, dates, pet names, addresses | Manual; hours to days | Against passwords containing personal information found via social media or OSINT |
Entropy: The Mathematics of Password Strength
Password entropy measures the unpredictability of a password in bits. Higher entropy = more possible combinations = harder to crack. The formula:
Entropy (bits) = log₂(charset_size^length) = length × log₂(charset_size)
- All lowercase (26 chars): each character adds log₂(26) ≈ 4.7 bits
- Lowercase + uppercase (52 chars): each character adds ≈ 5.7 bits
- Full alphanumeric (62 chars): each character adds ≈ 5.95 bits
- All printable ASCII (95 chars): each character adds ≈ 6.57 bits
At 128 bits of entropy, brute-force cracking is computationally infeasible with current technology. The practical targets: 60+ bits for low-risk accounts; 80–100 bits for most accounts; 128+ bits for critical accounts (email, banking, password manager).
Important: entropy assumes a truly random password. Patterns and dictionary words dramatically reduce effective entropy even if the measured bit count looks high — "Password123!" has theoretical entropy around 70 bits but practical entropy of near zero because it appears in every attack list.
Crack Time Estimates
Crack time estimates are approximate and depend heavily on the attack scenario:
- Online attack (rate-limited): Attacker tries passwords against a live login form. Systems typically allow 3–10 attempts before lockout. Even weak passwords are safe from online brute force — the bottleneck is the lockout, not computation.
- Offline attack (stolen hash database): If a site is breached and password hashes leaked, attackers can crack hashes offline at billions per second using GPU clusters. This is the scenario crack time estimates address — if your hashed password is in a breach, how long before it is cracked?
- Modern GPU performance: An 8×RTX 4090 GPU cluster can test approximately 200 billion bcrypt rounds per second for MD5 hashes, or 100,000/second for bcrypt (a much stronger hashing algorithm). The hashing algorithm matters enormously — bcrypt/scrypt/Argon2 are designed to be slow and resist GPU cracking.
Password Strength vs. Memorability
There is a real tension between the strongest possible password and one you can actually remember. Strategies for resolving this:
- Use a password manager for most passwords: You only need to memorise the master password. All others are generated randomly and stored. This lets you use maximum-entropy passwords everywhere without memorisation burden.
- Use a passphrase for passwords you must memorise: 5–7 random words ("violet lamp seven ocean table") are both memorable and extremely strong (~65–90 bits of entropy from a large wordlist). Use diceware for true randomness.
- Use the same strong method for your master password: Your password manager master password and email password should both be passphrases you have memorised, not generated passwords stored elsewhere.
Common Questions
Why does the checker say my complex password is weak?
Complexity rules (must have uppercase, number, symbol) are a poor proxy for security. A password like "Tr0ub4dor&3" has uppercase, numbers, and a symbol — but it's a word ("troubadour") with predictable substitutions, and it appeared in a famous xkcd comic illustrating this exact point. The checker measures actual unpredictability, not whether boxes are ticked. Dictionary words with substitutions are in every attacker wordlist; the checker correctly rates them as weak even when they pass complexity tests.
Is it safe to type my real password into this checker?
The checker runs entirely in your browser using JavaScript — your password is not transmitted to any server. You can verify this by checking your browser's network requests while typing (browser DevTools → Network tab). No requests are sent. That said, as a general security practice, avoid typing real passwords into third-party tools you have not audited. For testing purposes, type a variation or an approximate version of your password to test the pattern without exposing the exact credential.
What should I do if my password is rated as weak?
Use the password generator to create a strong replacement immediately, store it in your password manager, and update the account. If the weak password was used on multiple sites (password reuse), update it everywhere it was used — credential stuffing means one breach compromises all accounts sharing that password. Check whether your email address has appeared in known breaches via haveibeenpwned.com — if so, prioritise updating passwords for those affected services.
Check Your Password Strength
Instant analysis of length, entropy, patterns, and estimated crack time. Your password stays in your browser — never sent to a server.
Open Password Strength Checker