Password Strength Checker
Type any password to instantly see its strength score, entropy in bits, estimated crack time, and a full checklist of what makes it strong or weak. No signup, runs entirely in your browser — your password is never sent anywhere.
Enter a password above to see the analysis.
How the Password Strength Checker Works
- 1Type or paste a password — the strength bar and score update instantly as you type. Use the eye icon to show or hide the characters.
- 2The entropy and crack time show how mathematically unpredictable your password is and how long a GPU-powered brute-force attack would take.
- 3The requirements checklist shows exactly which criteria pass and which fail — length, character variety, repeated characters, sequential patterns, and common password detection.
- 4The suggestions panel gives specific, actionable fixes for any failing checks — so you know precisely what to change to improve your score.
What Makes a Password Strong?
Password strength comes from two independent properties: length and unpredictability. Length directly multiplies entropy — each additional character raises the number of possible combinations by a factor equal to the charset size. Unpredictability means avoiding patterns an attacker would try early: dictionary words, keyboard walks (qwerty, 12345), repeated characters, and character substitutions (pa$$w0rd). The strongest passwords combine both: 16+ characters drawn from uppercase, lowercase, digits, and symbols, with no recognizable patterns.
Tips for Creating Strong Passwords
Use a passphrase
Four or more random words strung together (e.g. "correct-horse-battery-staple") give high entropy and are far easier to remember than a short mixed-character string.
Never reuse passwords
A single breached site exposes every account sharing that password. Use a unique password for every service — this is only practical with a password manager.
Longer beats complex
A 16-character lowercase-only password has more entropy than a 10-character password with mixed types. Length is the single most effective lever for entropy.
Avoid obvious substitutions
Replacing letters with numbers (p4ssw0rd) or symbols (p@ssword) is one of the first mutations password crackers try. These substitutions add almost no real security.
Add 2FA on top
Even a strong password can be phished. Adding TOTP-based two-factor authentication means a stolen password alone cannot access your account.
Check for breaches
A password that has appeared in a public data breach is dangerous regardless of its strength score. Services like Have I Been Pwned let you check without exposing your actual password.
Frequently Asked Questions
Is my password sent to a server?
No. The password strength checker runs entirely in your browser — no network request is made and your password never leaves your device. The analysis is computed locally using JavaScript and is discarded the moment you close or refresh the tab.
What does password entropy mean?
Entropy measures how unpredictable a password is, expressed in bits. It is calculated as: length × log₂(charset size), where charset size is the number of distinct character types used (26 for lowercase only, up to 94 for all printable ASCII). Higher entropy means more possible combinations an attacker must try. A password with 60+ bits of entropy is considered strong for most purposes; 80+ bits is excellent.
How is the crack time calculated?
Crack time assumes an attacker running an offline brute-force attack at 10 billion guesses per second — a realistic rate for a modern GPU array. The formula is 2^entropy / 10,000,000,000 seconds. This is a worst-case scenario for the attacker; real attacks often use dictionaries and rule-based mutations that crack common patterns much faster, which is why avoiding dictionary words and common substitutions matters as much as length.
Why does a long password of one character type score poorly?
A password of 20 lowercase letters has a charset of only 26, so its entropy is 20 × log₂(26) ≈ 94 bits. That sounds high, but if the attacker uses a dictionary attack rather than brute force, a word-based or all-lowercase password is cracked far faster than the entropy number suggests. The checker penalizes single character types and rewards mixed types because it reflects how modern password cracking tools work.
What makes a password "common"?
The checker tests against a list of the most frequently appearing passwords in major data breach databases. Passwords like "password", "123456", "qwerty", and "letmein" appear in nearly every breach dataset and are always tried first by attackers — regardless of their technical entropy score. A password that appears in a breach list is effectively zero entropy against a credential-stuffing attack.
How long should a password be?
NIST SP 800-63B recommends a minimum of 8 characters but encourages longer passwords. A 12-character password using mixed character types has roughly 78 bits of entropy — considered strong. A 16-character password exceeds 100 bits. Passphrases (four or more random words) are both highly secure and memorable: "correct-horse-battery-staple" has high entropy and is easy to type.
Should I use a password manager?
Yes. A password manager generates and stores unique, high-entropy passwords for every account — removing the human tendency to reuse or simplify passwords. If you use a password manager, all your passwords can be 20+ random characters, which this tool would rate as Very Strong. The master password for the manager itself should be a strong, memorable passphrase.