🛡️

Password Strength Checker

Measure entropy, estimated crack time and common weaknesses of a password — evaluated entirely on your device, never transmitted.

Password
Enter a password to analyse it.
0
Length
0
Charset size
0
Entropy (bits)
Estimated Time To Crack
Attack scenarioGuesses/secTime

Assumes a brute-force search of half the keyspace. Real attackers try dictionaries and known-breach lists first, so patterned passwords fall much faster than these numbers suggest.

Checks

About the Password Strength Checker

Password strength comes down to how many guesses an attacker needs. That is driven by two things: length and the size of the character set actually used. Entropy, measured in bits, captures both — each extra bit doubles the search space. A 8-character lowercase password has about 38 bits (crackable in seconds on a GPU rig), while a 16-character mixed password exceeds 100 bits, which is beyond any realistic brute force. Length beats complexity: adding four characters helps far more than swapping an a for an @, a substitution every cracking dictionary already knows.

Everything on this page runs locally — the password is never transmitted, stored or logged, and you can verify that with the network tab of your browser’s dev tools. For real accounts, the practical advice is: use a password manager to generate long random passwords (see our Password Generator), never reuse a password across sites, and turn on multi-factor authentication anywhere it is offered.

What the Scenarios Mean

  • 🌐
    Online attack (10³/s). Guessing against a live login form with rate limiting — slow, and lockout policies usually stop it.
  • 💻
    Offline, single GPU (10¹⁰/s). Attacker has stolen a database of fast hashes (MD5/SHA-1) and cracks them at leisure.
  • 🏭
    Offline, GPU rig (10¹²/s). A dedicated cracking rig or cloud fleet against fast hashes — the worst case that matters.
  • 🐌
    Slow hash (10⁴/s). Sites using bcrypt/argon2 slow every guess dramatically — one reason strong sites survive breaches better.

Frequently Asked Questions

Is it safe to type a real password here?
The check runs entirely in your browser with no network activity, and the page never stores anything. Even so, the cautious habit is to test similar-shaped passwords rather than the exact one guarding your bank.
Why does my “complex” password score poorly?
Patterns like Password1! satisfy complexity rules but appear in every cracking wordlist. The checker penalises common words, sequences, years and keyboard runs because attackers try those first.
What entropy should I aim for?
60+ bits is reasonable for ordinary accounts protected by rate limiting; 80–100+ bits for anything critical (email, password manager master password, domain admin). Four random dictionary words gets you ~50–70 bits and is easy to remember.