🔐 Security

Password Strength Checker

Type or paste a password to instantly see its strength, entropy, and how long it would take to crack. Your password never leaves your browser.

How strength is calculated

Password strength is measured in bits of entropy — the mathematical uncertainty a brute-force attacker faces. Entropy is calculated as length × log₂(pool size), where pool size is the number of distinct character types used (lowercase 26, uppercase 26, digits 10, symbols ~32). The crack-time estimate assumes an attacker running 10 billion guesses per second (modern GPU). Your password is never sent anywhere — analysis happens entirely in JavaScript.

Why a Password Strength Checker Matters

You're creating an account. You type a password. You have no idea if it's actually good or dangerously weak. That's the gap this tool fills. Rather than a vague "strong/weak" label, it gives you the real mathematics behind your password — entropy in bits, an estimated crack time against a 10-billion-guesses-per-second attacker (what a modern GPU cluster can do), and a 9-point criteria checklist. Whether you're evaluating a brand-new password or finally auditing one you've been using for years, this checker tells you exactly where you stand and precisely what to fix. The best part? Your password never leaves your browser. There is no server request, no logging, no risk of interception.

Key Features

  • Real-time entropy calculation: Displays bits of entropy as you type — the single most accurate measure of password strength.
  • 5-segment strength meter: Visual bar color-coded from red (Very Weak) to green (Very Strong) so you can see progress at a glance.
  • Crack time estimate: Assumes a 10 billion guesses/second attacker — the real-world threat model, not a marketing number.
  • 9-criteria checklist: Covers length (8, 12, 16+ characters), lowercase, uppercase, digits, symbols, and absence of repeated characters.
  • Personalized suggestions panel: Specific, actionable tips that appear only when a weakness is detected — not generic boilerplate.
  • Show/hide toggle: Reveal your password while typing without pasting it somewhere else — keeps your workflow safe.

Real-Life Use Cases

  • Creating a new account password: Paste your candidate password before committing — know exactly how strong it is before you save it.
  • Auditing old passwords: Type in passwords you've been reusing for years to see just how vulnerable they actually are.
  • Teaching password hygiene: Teachers and IT trainers can use this live in a classroom to show students the difference between "Password1" and a proper 16-character mixed password.
  • Evaluating passphrase strength: Wondering if "correct-horse-battery-staple" actually beats "P@ssw0rd"? Test it — the entropy numbers tell the true story.
  • Security audits: IT teams can check if proposed password policies produce acceptably strong passwords before rolling out to employees.

Who Can Use This Tool

Anyone who uses passwords — which is everyone. But this tool is especially useful for people who tend to default to familiar patterns: their pet's name, a favourite sports team, or something like "Summer2024!" that feels strong but scores Fair. It's also valuable for developers building authentication flows who want to validate that their password strength requirements produce genuinely secure passwords. Security trainers, IT helpdesk staff, and parents teaching teens about online safety will all find it useful too.

Tips & Best Practices

  • Aim for 80+ bits of entropy: That's the threshold this tool marks as Very Strong — it represents a crack time measured in billions of years.
  • Try passphrases: Four random words (like "granite-lamp-river-desk") can hit 70+ bits while being far easier to remember than symbol-heavy strings.
  • Never reuse passwords: Even a Very Strong password becomes a liability the moment the site it's on gets breached. Use a password manager.
  • Add symbols strategically: A single symbol in a 12-character password jumps the pool from 62 to 94 characters — a significant entropy boost.
  • Pair with 2FA: A strong password is one layer. Two-factor authentication adds a second, making account takeover nearly impossible even if your password leaks.

Frequently Asked Questions

Is my password sent to a server when I check it?
No. The password strength analysis runs entirely in your browser using JavaScript. Your password is never transmitted anywhere — it stays on your device. This makes the tool safe to use even for real passwords you are considering using.
What makes a password "strong"?
A strong password has: length (16+ characters), variety (mix of uppercase, lowercase, digits and symbols), unpredictability (no dictionary words, names or patterns), and uniqueness (not reused across sites). This tool scores passwords on all these factors.
How is the crack time estimated?
The estimated crack time assumes an attacker running 10 billion guesses per second — achievable with a modern GPU cluster. The calculation uses entropy bits: time = 2^entropy / (2 × 10,000,000,000). Real crack times vary based on attacker hardware and whether common patterns are used.
What is "entropy" and why does it matter?
Entropy measures how many bits of randomness a password contains, calculated as length × log₂(character pool size). Higher entropy means more possible combinations for an attacker to try. Aim for at least 80 bits of entropy for a very strong password.
My password is long but still scored "Fair" — why?
A long password made of only lowercase letters has a small character pool (26 characters), which limits entropy. Adding uppercase letters, digits, and symbols expands the pool to 94 characters, giving far higher entropy for the same length. For example, 12 lowercase-only characters (~56 bits) is weaker than 12 mixed-type characters (~79 bits).
Browse all tools Generate a Password