Password Strength Checker

Test how secure your password is — get an entropy score, estimated crack time, and actionable tips.

Last updated: March 25, 2026

Used 47K+ times

Your password never leaves this device — all analysis is local.

Enter a password above to analyze its strength

Client-Side Processing

Input Data Stays on Device

Instant Local Execution

What users say

“I use this to show junior devs why "P@ssw0rd" is terrible. The crack time estimate next to the entropy score is eye-opening — finally something that explains *why* a password is weak.”

Tom W. — Security Engineer

“The passphrase vs random string comparison genuinely changed how I think about passwords. Simple, educational, and completely private.”

Mei C. — Product Manager

Find this tool useful? Support the project to keep it free!

Buy me a coffee

What is Password Strength Checker?

Password strength is determined by two primary factors: length and character diversity. A password's "entropy" — measured in bits — quantifies how many guesses an attacker would need on average. Each additional bit of entropy doubles the number of guesses required. An 8-character lowercase password has approximately 38 bits of entropy (easily cracked in hours with a GPU). A 16-character passphrase with mixed characters has 95+ bits — which would take billions of years to brute-force at current computing speeds.

This tool calculates entropy based on length, character set size, and patterns. It also checks against common substitutions (e.g. 3 for E, @ for A) and dictionary-based patterns that attackers exploit first. All analysis runs entirely in your browser — your password is never transmitted to any server, never stored in any database, and leaves no trace.

How to Use Password Strength Checker

Type your password into the input field — analysis begins instantly

Review the strength bar: Weak (red), Fair (orange), Good (yellow), Strong (green), Very Strong (blue)

Check the entropy score (bits) and estimated crack time shown below the bar

Read the specific improvement tips that appear if the password is below "Strong"

Adjust your password based on the suggestions and watch the score update in real time

Common Use Cases

Checking a new password before setting it on an account
Auditing existing passwords to identify which accounts need updated credentials
Understanding why a specific password is weak (e.g. dictionary word base + number substitution)
Teaching employees or students what makes passwords resistant to cracking
Verifying passphrase strength — testing whether "correct horse battery staple" is stronger than "P@ssw0rd!"
Estimating crack time for compliance reporting (HIPAA, SOC 2, PCI-DSS)
Testing generated passwords from a password manager before trusting them

Example Input and Output

Compare a classic "clever" substitution password versus a random passphrase:

Password examples

Example A: P@ssw0rd!
Example B: correct-horse-battery-staple
Example C: Xk9#mP2@vLq7$nR4

Strength analysis

Example A: P@ssw0rd!
Entropy: 28 bits | Strength: WEAK
Crack time: < 1 hour (dictionary + leet-speak rules)

Example B: correct-horse-battery-staple
Entropy: 53 bits | Strength: GOOD
Crack time: ~3 years (random word combo)

Example C: Xk9#mP2@vLq7$nR4
Entropy: 98 bits | Strength: VERY STRONG
Crack time: Billions of years

Privacy Guarantee

Your password is never transmitted. All analysis (entropy calculation, pattern detection, crack time estimation) runs exclusively in your browser. No network request is made. You can use this tool with WiFi disabled.

Use a Password Manager

The best password is one you do not know. Use a password manager (Bitwarden is free and open-source) to generate and store 20+ character random passwords for every site. You only need to remember one strong master password.

Beyond Passwords: Enable 2FA

Even a perfect password can be stolen via phishing, keyloggers, or data breaches. Two-factor authentication (2FA) adds a second layer that attackers cannot crack remotely. Use an authenticator app (Authy, Google Authenticator) — avoid SMS-based 2FA which is vulnerable to SIM-swapping.

Frequently Asked Questions

Is my password sent to a server when I type it here?

No. Every character you type is analyzed locally in your browser using JavaScript. Your password never leaves your device. It is not transmitted, logged, or stored anywhere — not even temporarily. You can verify this by disconnecting from the internet and using the tool offline.

What is password entropy and why does it matter?

Entropy (measured in bits) quantifies how unpredictable a password is. Each bit of entropy doubles the number of guesses required to crack it. 40 bits = ~1 trillion guesses. 60 bits = ~1 quintillion guesses. Modern password crackers (using GPUs) can attempt billions of guesses per second, making low-entropy passwords very vulnerable.

Why is 'P@ssw0rd!' rated as weak even though it has uppercase, number, and symbol?

Because password cracking dictionaries include common letter-to-symbol substitutions (called "leet-speak rules"): @ for a, 0 for o, 3 for e, ! for i. Attackers automatically test these variations on every dictionary word. A password that looks complex to humans is trivially cracked by automated tools when it's based on a common word.

How long should a secure password be?

At minimum, 12 characters of mixed case, numbers, and symbols. Ideally, 16+ characters. For critical accounts (email, banking, password manager), use a random 20+ character password generated by a password manager. Length is the single most effective factor in increasing strength.

Are passphrases stronger than random character passwords?

It depends on length. A 4-word random passphrase like "correct horse battery staple" has about 44 bits of entropy (moderately strong). A 16-character fully random password using the full printable ASCII set has ~105 bits (extremely strong). For memorability, passphrases win. For raw security, random strings win.

Does this check against known leaked passwords (Have I Been Pwned)?

No — this tool only analyzes strength based on entropy and pattern detection. It does not check if your specific password appears in data breach databases. To check that, visit haveibeenpwned.com, which uses a privacy-preserving k-anonymity API that only sends the first 5 characters of your password hash.

What makes a password crack-resistant for 2025?

Minimum 16 characters, fully random (not a word or phrase), using all character sets (lowercase, uppercase, digits, symbols). Store it in a reputable password manager (Bitwarden, 1Password, or KeePass). Enable 2FA on every account that supports it — a strong password plus 2FA makes account compromise essentially impossible.

How This Tool Works

Strength is calculated using a Shannon entropy formula: bits = log2(charset_size) × length. Character set size is determined by which character classes appear in the password (lowercase: 26, uppercase: 26, digits: 10, symbols: 32). Pattern penalties are applied for dictionary words (using a curated compressed wordlist), date patterns (YYYY, MM/DD), keyboard walks (qwerty, 12345), and common leet-speak substitutions. The crack time estimate is based on a simulated offline attack rate of 10 billion guesses/second (modern GPU cluster) applied against the effective entropy after penalties.

Technical Stack

Browser-native JavaScriptzxcvbn-based entropy modelCompressed wordlist (client-side)Client-side onlyNo external API calls