Check password strength in your browser: estimate entropy in bits, score it from very weak to very strong, flag weak patterns, and show an offline crack time.
Runs entirely in your browser — your data never leaves your device.
How to use Password Strength Checker
What it does & when you need it
You want to know whether a password would survive a real attack — not just whether
it clears an arbitrary "one uppercase, one number" rule that weak passwords pass
and strong passphrases sometimes fail. This checker estimates the actual entropy
of what you type, scores it from very weak to very strong, and translates that
into a rough offline crack time. It runs entirely in your browser, so you can test
a password you genuinely use without it ever being sent anywhere.
How to use
Type or paste a password into the field. Everything updates as you type.
Read the score bar and label, then the entropy in bits and the estimated crack
time. Use Show password to reveal what you entered.
Check the warnings and suggestions below the meter — they point to the specific
weaknesses found, such as a dictionary word or a keyboard run.
Press Copy report (or Ctrl/Cmd + Enter) to copy the full breakdown.
Things worth knowing
Entropy, not rules. Strength is estimated from the effective character pool
times the length, then penalised for repeats, sequences like abc or 123,
keyboard walks like qwerty, and common passwords. That is why an eight-character
random string can outscore a longer but predictable one.
The crack time is a ceiling. It assumes a fast offline attack of about ten
billion guesses a second against an unsalted hash. A properly slow hash such as
bcrypt or Argon2 takes far longer, so treat the figure as a worst case for
comparing passwords, not a promise.
Length beats complexity. A four-word passphrase is easy to remember and hard
to guess. Better still, let a password generator
create a long random password per account and store it in a manager. For
one-way fingerprints see the hash generator.
Examples
A weak dictionary password
password123
A common word plus a numeric run — long-ish but scored very weak with an instant crack time.
A strong random mix
G7k#R2m!Z9x&Q4wL
Sixteen unpredictable characters across all four classes push it to very strong.
A memorable passphrase
correct-horse-battery-staple
Four random words show how length from real randomness beats a short symbol-heavy password.
Frequently asked questions
How is password strength measured here?+
The tool estimates entropy: it works out the effective character pool (26 for lowercase, 26 for uppercase, 10 for digits, about 33 for symbols) and multiplies its base-2 logarithm by the length. It then subtracts bits for predictable structure — repeated characters, alphabetical or numeric runs, keyboard walks, and dictionary words — so a password made only of easy patterns scores far lower than its raw length suggests.
What do the score and crack time mean?+
The 0 to 4 score maps entropy onto a familiar very-weak to very-strong scale. The crack time assumes a fast offline attack at roughly ten billion guesses a second against an unsalted fast hash, searching on average half the keyspace. It is a rule-of-thumb ceiling: a slow hash such as bcrypt takes far longer, while a targeted attacker who knows you may take far less.
Why is my long password still rated weak?+
Length only helps when the characters are unpredictable. Strings like "password123", "aaaaaaaa", or "qwertyuiop" are long but follow patterns an attacker tries first, so the estimator caps or heavily discounts their entropy. Mixing character types and avoiding words, sequences, and keyboard runs raises the score more than simply adding repeated or predictable characters.
Is my password sent anywhere?+
No. The entire analysis runs locally in your browser with plain JavaScript, and the small list of common passwords is bundled into the page. Nothing you type is transmitted, logged, or stored, so you can safely test a real password and the tool keeps working offline once loaded.
Is this a substitute for a password manager?+
No. It is a teaching aid for judging one password at a time, not a vault. The strongest practical approach is a password manager that generates a long random password for every account, checked here if you want reassurance, combined with two-factor authentication wherever it is offered.