Password Strength Checker
Entropy, time-to-crack, and concrete fixes. Nothing leaves your browser.
Findings
Suggestions
How to use
- Type or paste a password into the field.
- Watch the bar, entropy bits, and crack-time estimates update live.
- Read the Findings section to see exactly what is weak (dictionary, sequence, repeat, etc.).
- Apply the Suggestions to lift it to "Strong" or better.
- Use the Password Generator if you'd rather start from a random password.
Frequently asked questions
How is strength measured?
We use a lightweight zxcvbn-style approach: it tries to crack the password using dictionaries, leet substitutions, common patterns, and sequences, then estimates the work needed.
Is my password sent anywhere?
No. The analysis runs entirely in your browser. Nothing is uploaded, logged, or compared against an online breach database.
What does the time-to-crack mean?
It is the estimated time for an attacker doing 10 billion guesses per second against a fast hash. Slow hashes like Argon2 or bcrypt would take much longer; weakly hashed leaks are cracked far faster.
Why is my long word still rated weak?
One dictionary word is easy to crack. Several unrelated random words, like a passphrase, are very strong because the entropy comes from the combination rather than the choice of words.
How crackers actually attack, and why meters disagree
Real password cracking is not blind brute force. Tools like Hashcat run dictionaries of every leaked password (billions of them), then mutate: capitalise first letter, append years and exclamation marks, swap a for @ and e for 3. "P@ssw0rd2024!" satisfies every checkbox rule and falls in seconds because it sits squarely inside those mutation rules. A good strength estimate therefore measures distance from human patterns... dictionary words, keyboard walks like qwerty and 1q2w3e, dates, repeated and sequential characters... not the mere presence of a symbol. This is why two meters can score the same password differently: the naive ones count character classes, the serious ones model the attacker.
Reading a strength result usefully
- "Time to crack" estimates assume offline attack against a stolen hash database, the realistic worst case. Online guessing is far slower because services rate-limit.
- A long all-lowercase random string can legitimately outscore a short symbol-laden one: 20 random lowercase letters carry 94 bits, more than enough.
- Patterns poison length: "passwordpassword" is 16 characters and approximately worthless.
Strength is necessary, not sufficient
The strongest password ever generated still falls to phishing, malware, or a service that stored it in plain text. Pair strength with: checking exposure against breach corpora (haveibeenpwned indexes billions of leaked credentials), two-factor authentication on email and financial accounts... which survives even a stolen password... and uniqueness everywhere, so one breach stays one breach. Test passwords here freely: the check runs locally in your browser, and nothing you type is transmitted.
The checkup routine worth doing twice a year
A password audit takes twenty minutes with a manager installed. Open its built-in security report: every reused password is listed, ranked by exposure. Fix the reuses on accounts that matter first... each one converts a future credential-stuffing hit from "all my accounts" to "one account". Check the weak-password list next and regenerate anything created before you had the manager. Then run your primary email through a breach-notification service, since that address is the recovery key to everything else. Finish by confirming 2FA is still active on email and banking... apps get reinstalled and toggles silently reset. Calendar it; entropy decays through life events, not through time.
Advertisement