Security

Password Strength Checker: a quick guide

Estimate password strength locally without ever sending the password anywhere.

Knowing how strong a password actually is takes some math. The ChrysoKit Password Strength Checker estimates entropy and crack time live as you type, and flags common weaknesses.

Why use it

The visual feedback turns abstract numbers ("how many bits of entropy") into something you can react to: longer, more varied, fewer obvious patterns. Local-only, so the password itself never leaves the page.

How to use the Password Strength Checker

  1. Type or paste a password into the input.
  2. Read the entropy estimate and the time-to-crack guess.
  3. Read the warnings about common patterns or substitutions.
  4. Adjust the password until the score is comfortable for the account's risk level.

Features worth knowing

Entropy estimate

A bit count based on character classes and length. Higher is exponentially better.

Pattern detection

Flags common substitutions (0/o, $/s), keyboard walks (qwerty), repeated characters, and short length.

Local only

Nothing is uploaded, logged, or compared against an external breach database. The password is analysed entirely in your browser.

Pro tips

  • A 'medium' score means an attacker with a good GPU farm could crack it in days. Push for high.
  • Common substitutions (0 for o, $ for s) add almost no real strength. Length is what matters.
  • The crack-time estimate assumes an attacker doing 10 billion guesses per second against a fast hash. Real systems using slow hashes (bcrypt, Argon2) buy you orders of magnitude.
  • For a fast strength upgrade, use the Passphrase Generator. Six random words beat almost anything you would invent.

Privacy first. The Password Strength Checker runs entirely in your browser. The password is never sent anywhere.

Run candidates through the Strength Checker before adding them to a manager. A few seconds of feedback saves a lot of "should I use this?" hesitation.

Open the tool: Password Strength Checker →

Reading your own results: a tour of five real verdicts

Run a few representative passwords through a strength check and the scoring logic becomes intuitive. "Thessaloniki1985" looks long and mixed-case, yet scores poorly: a city name plus a plausible birth year is the exact template cracking dictionaries mutate first. "xK9#mP2$vL5@" scores well on randomness but its 12 characters land it in the middle tier... strong against online guessing, marginal against offline attack on a weakly hashed database.

"correcthorsebatterystaple" scores highly despite containing zero digits and symbols, which surprises people trained by complexity checkboxes; 25 characters of genuinely random words is simply a vast search space. "qwertyuiop123!" fails instantly... keyboard walks are in every cracker's opening moves. And "MyD0g$N@me2019", the kind of password complexity rules actively encourage, sits in the deceptive zone: it passes every corporate policy and would fall to a standard mutation ruleset in minutes.

The meta-lesson: the meter is measuring distance from human habit. Anything derived from your life, the keyboard layout, or a dictionary word with cosmetic substitutions inherits human predictability. Anything genuinely random... characters or words, it matters less than people argue... inherits math. When your score disappoints, the fix is never one more exclamation mark; it is more randomness, which in practice means letting a generator choose.

Share this article
CK
ChrysoKit Team

The team behind ChrysoKit. We build small, useful, fast, free tools for people who would rather get on with their day than fight a website.