Password Strength Checker
Test how strong your password is — instantly see entropy bits, crack time estimate, and actionable tips. Runs entirely in your browser.
Checked locally in your browser — never sent anywhere.
Why password strength matters
A weak password is one of the most common entry points for account takeovers. Attackers use brute-force and dictionary attacks — automated tools that try millions or billions of guesses per second against leaked password databases. A password that looks complex to a human can fall in seconds if it follows a predictable pattern.
How entropy determines strength
Entropy measures unpredictability in bits. Each extra character drawn from a larger alphabet multiplies the search space exponentially. A 12-character password using all four character classes (uppercase, lowercase, digits, symbols) yields roughly 79 bits of entropy — enough to survive a GPU attack for millions of years at current hardware speeds. Dropping to a 6-character all-lowercase password cuts that to about 28 bits, crackable in under a second.
Common weaknesses this tool detects
- Common passwords — over 50 widely used passwords like "password", "123456" and "qwerty" are flagged immediately.
- Keyboard walks — sequences like "qwerty", "asdf" or "1234" have near-zero entropy despite their length.
- Repeated characters — patterns like "aaa" or "111" collapse the effective search space dramatically.
- Sequential runs — ascending or descending runs of digits or letters are heavily indexed by crackers.
- Missing character classes — passwords that skip uppercase, digits, or symbols shrink their own pool.
What makes a strong password?
Aim for at least 16 characters drawn from all four character classes, with no dictionary words or recognisable patterns. A passphrase of four random unrelated words is often both strong and memorable. Better still, use a password manager to generate and store a unique high-entropy password for every account.
Frequently Asked Questions
How is password strength calculated?↓
The checker estimates entropy in bits based on the length of your password and the size of the character set used (lowercase, uppercase, digits, and symbols). It then applies penalties for common passwords, keyboard walks, sequential characters, and repeated characters. The adjusted entropy maps to a score from 0 (Very weak) to 4 (Very strong).
What does the crack time estimate mean?↓
The crack time is a rough estimate of how long it would take to brute-force your password at 10 billion guesses per second — a realistic speed for a modern GPU-based offline attack. It is an order-of-magnitude guide, not an exact figure. A password that takes centuries to crack is effectively unbreakable for any practical attacker.
Is my password sent to a server?↓
No. All analysis runs locally in your browser using JavaScript. Your password is never transmitted, stored, or logged anywhere. You can safely check sensitive passwords without any privacy risk.