devtools

Password Strength Checker

Check password strength in your browser: estimate entropy in bits, score it from very weak to very strong, flag weak patterns, and show an offline crack time.

Runs entirely in your browser — your data never leaves your device.

How to use Password Strength Checker

What it does & when you need it

You want to know whether a password would survive a real attack — not just whether it clears an arbitrary "one uppercase, one number" rule that weak passwords pass and strong passphrases sometimes fail. This checker estimates the actual entropy of what you type, scores it from very weak to very strong, and translates that into a rough offline crack time. It runs entirely in your browser, so you can test a password you genuinely use without it ever being sent anywhere.

How to use

  1. Type or paste a password into the field. Everything updates as you type.
  2. Read the score bar and label, then the entropy in bits and the estimated crack time. Use Show password to reveal what you entered.
  3. Check the warnings and suggestions below the meter — they point to the specific weaknesses found, such as a dictionary word or a keyboard run.
  4. Press Copy report (or Ctrl/Cmd + Enter) to copy the full breakdown.

Things worth knowing

Entropy, not rules. Strength is estimated from the effective character pool times the length, then penalised for repeats, sequences like abc or 123, keyboard walks like qwerty, and common passwords. That is why an eight-character random string can outscore a longer but predictable one.

The crack time is a ceiling. It assumes a fast offline attack of about ten billion guesses a second against an unsalted hash. A properly slow hash such as bcrypt or Argon2 takes far longer, so treat the figure as a worst case for comparing passwords, not a promise.

Length beats complexity. A four-word passphrase is easy to remember and hard to guess. Better still, let a password generator create a long random password per account and store it in a manager. For one-way fingerprints see the hash generator.

Examples

A weak dictionary password

password123

A common word plus a numeric run — long-ish but scored very weak with an instant crack time.

A strong random mix

G7k#R2m!Z9x&Q4wL

Sixteen unpredictable characters across all four classes push it to very strong.

A memorable passphrase

correct-horse-battery-staple

Four random words show how length from real randomness beats a short symbol-heavy password.

Frequently asked questions

How is password strength measured here?

The tool estimates entropy: it works out the effective character pool (26 for lowercase, 26 for uppercase, 10 for digits, about 33 for symbols) and multiplies its base-2 logarithm by the length. It then subtracts bits for predictable structure — repeated characters, alphabetical or numeric runs, keyboard walks, and dictionary words — so a password made only of easy patterns scores far lower than its raw length suggests.

What do the score and crack time mean?

The 0 to 4 score maps entropy onto a familiar very-weak to very-strong scale. The crack time assumes a fast offline attack at roughly ten billion guesses a second against an unsalted fast hash, searching on average half the keyspace. It is a rule-of-thumb ceiling: a slow hash such as bcrypt takes far longer, while a targeted attacker who knows you may take far less.

Why is my long password still rated weak?

Length only helps when the characters are unpredictable. Strings like "password123", "aaaaaaaa", or "qwertyuiop" are long but follow patterns an attacker tries first, so the estimator caps or heavily discounts their entropy. Mixing character types and avoiding words, sequences, and keyboard runs raises the score more than simply adding repeated or predictable characters.

Is my password sent anywhere?

No. The entire analysis runs locally in your browser with plain JavaScript, and the small list of common passwords is bundled into the page. Nothing you type is transmitted, logged, or stored, so you can safely test a real password and the tool keeps working offline once loaded.

Is this a substitute for a password manager?

No. It is a teaching aid for judging one password at a time, not a vault. The strongest practical approach is a password manager that generates a long random password for every account, checked here if you want reassurance, combined with two-factor authentication wherever it is offered.