Password Checker
Analyze the strength and security of any password instantly.
About This Tool
Check how strong your password is by analyzing length, character variety, common patterns, and entropy. Ideal for developers, security-conscious users, and anyone creating accounts. Runs entirely in your browser — your password never leaves your device.
What you provide
A password string to evaluate
What you get
Strength score, entropy estimate, time-to-crack estimate, and specific improvement suggestions
How to Use
- Type or paste your password into the input field.
- Review the strength meter, entropy score, and estimated crack time.
- Follow the suggestions to improve weak passwords before using them.
How Password Strength Is Actually Measured
Traditional password meters count character classes — uppercase, lowercase, digits, symbols — and assign points accordingly. This approach is easy to game: 'P@ssw0rd!' scores maximum points on most checkers despite appearing in every breach database on the internet. The fundamental problem is that complexity rules measure what a password looks like, not how hard it is to guess. A purely random 8-character string is far stronger than a 12-character string built on a recognisable pattern, even if the latter technically hits all four character classes.
Entropy is the more honest measure. A password's entropy in bits is log2(pool_size^length) — an 8-character password drawn from 95 printable ASCII characters has about 52 bits of entropy, meaning roughly 4.5 quadrillion possible values. But this only holds if the password is truly random. Dictionary words reduce the effective pool to tens of thousands of entries. Substitutions like @ for a or 3 for e are well-known to attackers and encoded in every wordlist used by hashcat.
The zxcvbn approach, developed at Dropbox, addresses this by pattern-matching against common words, names, keyboard walks (qwerty, zxcvbn, 12345), dates, and known substitution patterns before estimating entropy. A password that looks complex but is structurally predictable gets a low score. This produces feedback that matches real-world crackability rather than superficial character diversity — which is why a 4-word passphrase like 'correct-horse-battery-staple' scores higher than 'P@ssw0rd123' despite containing no uppercase or symbols.
Crack Time by Attack Method
| Method | Speed (hashes/sec) | 8-char time | 16-char time |
|---|---|---|---|
| Online attack (rate-limited) | ~1,000 | ~1.4 years at full random | Effectively infinite |
| Offline MD5 (CPU) | ~164,000,000,000 | Seconds to hours | Decades at full entropy |
| Offline bcrypt cost=10 (GPU) | ~1,600,000 | Hours to days | Centuries at full entropy |
| GPU cluster SHA-256 (4x A100) | ~10,000,000,000,000 | Under a second (8-char common) | Centuries at full entropy |
| Dictionary + rules (hashcat) | Varies | Seconds for common patterns | N/A — skips random passwords |
Signs of a Weak Password
- Dictionary words in any language — attackers run wordlists first; 'sunshine' is cracked before a random 6-character string.
- Keyboard patterns (qwerty, zxcvbn, 1qaz2wsx) — these are hardcoded into every serious cracking ruleset.
- Personal information (birthdates, names, pet names, phone numbers) — social engineering and OSINT make these trivial to guess.
- Common leet-speak substitutions (@ for a, 3 for e, 0 for o) — long included in hashcat rule files and provide almost no additional security.
- Predictable capitalisation (first letter uppercase, last character is a digit or !) — password policies trained users into this pattern and attackers know it.
- Sequences or repetitions (123456, aaaaaa, abcabc) — covered by every brute-force tool as first-pass candidates.
Frequently Asked Questions
- How is password strength calculated?
- Strength is determined by evaluating length, character set diversity (lowercase, uppercase, digits, symbols), entropy in bits, and the presence of common patterns like sequential characters or dictionary words. A combination of these factors produces the final score.
- Does this tool store or transmit my password?
- No. All analysis happens locally in your browser using JavaScript. Your password is never sent to any server, stored in any database, or logged anywhere. You can verify this by checking the network tab in your browser's developer tools.
- Is this tool free to use?
- Yes. This tool runs entirely in your browser with no account required. Your data never leaves your device.
- What makes a password strong?
- A strong password is at least 12 characters long and includes a mix of uppercase letters, lowercase letters, numbers, and special symbols. Avoid dictionary words, personal information, and common patterns like '123' or 'qwerty'.
- Does this work on mobile?
- Yes. The tool is fully responsive and works on any device with a modern browser.
Learn More
How Password Strength Is Measured: Entropy, Crack Time, and the zxcvbn Algorithm
Understand how password strength is calculated using entropy bits, GPU crack time estimates, pattern-based analysis, and the zxcvbn scoring algorithm.
5 min read