Password Strength Checker
Test how strong a password is, with an entropy estimate and crack-time guide.
Your password is analysed entirely in your browser and never sent anywhere.
How to use the Password Strength Checker
Step 1 — Type a password
- Enter the password you want to test; toggle Show to see it.
Step 2 — Read the meter
- The bar and label rate it from very weak to very strong.
Step 3 — Review warnings
- Specific issues, like sequences or short length, are listed.
Private
- Everything runs in your browser; nothing is sent anywhere.
Frequently asked questions
Yes. The analysis runs entirely in your browser using JavaScript — your password is never transmitted, stored, or logged anywhere. For total peace of mind, test a similar password rather than a live one.
Entropy in bits estimates how unpredictable the password is. More bits means exponentially more guesses to crack it. Roughly, under 28 is very weak and over 60 is strong against offline attacks.
Because length is not everything. The tool checks for common passwords, repeated characters, and simple sequences like 123 or abc, which attackers try first regardless of length.
No, it is an estimate that assumes a fast offline attack on a leaked hash. Real times vary enormously with the hashing method and attacker hardware. Treat it as a relative guide, not a guarantee.
Length is the biggest factor. A long passphrase of several random words, or 12+ mixed characters, beats a short complex one. Avoid reuse, and use a password manager.
About the Password Strength Checker
This tool estimates how strong a password is and explains why, so you can judge whether it is good enough before you rely on it. It rates the password, estimates its entropy, gives a rough crack-time, and points out specific weaknesses — all without your password ever leaving your browser.
How it judges strength
The core measure is entropy, expressed in bits, which estimates how many guesses an attacker would need. Entropy grows with both length and the variety of characters used, and because the relationship is exponential, each extra character or character type multiplies the effort to crack it. But raw entropy assumes the password is random, and most are not. So the checker also looks for the patterns attackers exploit first: the most common leaked passwords, a single repeated character, and obvious sequences like 123 or abc. When it finds one, it downgrades the rating and tells you why, rather than giving a falsely reassuring score for something like a dictionary word.
The crack-time estimate
The estimated time to crack assumes a fast offline attack — the scenario where a database of password hashes has leaked and an attacker is guessing at high speed on their own hardware. This is deliberately pessimistic because it reflects the situation that actually compromises accounts. Be aware that the real figure swings by orders of magnitude depending on how the password was hashed and how powerful the attacker is, so the number is a relative guide for comparing passwords, not a precise prediction.
Building a strong one — and privacy
The single most effective thing you can do is make the password longer; a passphrase of several unrelated words is both strong and memorable. Mixing character types helps, avoiding reuse across sites matters enormously, and a password manager removes the need to remember any of it. Critically, this tool processes everything locally in JavaScript and transmits nothing, but as a habit you should never paste a real, in-use password into any website — test a close variant instead. To create strong passwords, use the Strong Password Generator.