ToolHub

Password Strength Checker

Entropy, crack-time estimate, and weakness detection

Checked entirely in your browser. Your password is never sent, stored, or logged anywhere.

Start typing to see a live strength analysis.

Overview

What this tool measures

The password strength checker estimates how hard your password would be to crack. It calculates entropy (the real measure of password strength), estimates crack time against a realistic offline attack, checks the character composition, and flags specific weaknesses like common passwords, keyboard patterns, and sequences. Everything runs in your browser — your password is never sent anywhere.

Your password never leaves your device

This is the most important thing to understand: the entire analysis is JavaScript running locally in your browser. There is no network request when you type. You can verify this yourself by opening your browser's developer tools, switching to the Network tab, and watching — nothing is transmitted. Never trust a password checker that doesn't make this guarantee.

The real metric

What is password entropy?

Entropy measures unpredictability, in bits. It's calculated from two things: the size of the character pool you drew from, and the length of the password.

entropy = length × log2(pool size)

Each bit of entropy doubles the number of guesses an attacker needs. A few rough benchmarks:

  • Under 28 bits: very weak — cracked instantly
  • 28-40 bits: weak — minutes to hours
  • 40-60 bits: fair — days to years
  • 60-80 bits: strong — centuries
  • 80+ bits: very strong — effectively uncrackable by brute force

The counterintuitive truth

Why length beats complexity

The classic advice — "use a symbol, a number, an uppercase letter" — is less important than people think. Length matters far more.

Consider two passwords:

  • P@ss1! — 6 characters, all four types, ~39 bits of entropy. Cracked in minutes.
  • correct horse battery staple — 28 characters of lowercase words, ~100+ bits. Effectively uncrackable.

Each additional character multiplies the possibilities by the pool size. Adding length compounds much faster than adding one symbol. This is why passphrases — several random words strung together — are both stronger and easier to remember than short complex passwords.

The passphrase method

Pick 4-5 random, unrelated words. "violet-anchor-galaxy-pretzel" is far stronger than "Tr0ub4dor&3" and much easier to type and remember. Length is your friend.

The attack model

How crack time is estimated

The estimate assumes an offline attack: an attacker has stolen a database of password hashes and is trying to reverse them on their own hardware. We assume 10 billion guesses per second, a realistic rate for a modern GPU against a fast hash like unsalted SHA-1 or MD5.

The time shown is roughly how long it takes to try half the possible combinations (the average case for finding a specific password). For online attacks (guessing against a live login), rate limiting makes cracking vastly slower — but you should always assume the offline scenario, because data breaches happen constantly.

The patterns we flag

What makes a password weak

Common passwords

'password', '123456', 'qwerty' and their variants appear in every breach. Attackers try these first.

Dictionary words

A single word, even a long one, falls to a dictionary attack quickly. Combine several unrelated words instead.

Keyboard patterns

'qwerty', 'asdf', '1qaz2wsx' look random but are among the first things cracking tools try.

Sequences

'abc', '123', '789' are trivially predictable. Cracking tools generate these automatically.

Repeated characters

'aaa', '1111' add length without adding real unpredictability.

Personal info

Birth years, names, and 'Spring2024!' style patterns are guessable from public information.

Practical advice

How to build a strong password

  • Use at least 12 characters — 16 or more is much better
  • Prefer a passphrase of random words over a short complex string
  • Make every account's password unique — reuse is the biggest real-world risk
  • Use a password manager to generate and store long random passwords
  • Turn on two-factor authentication (2FA) wherever possible — it protects you even if a password leaks
  • Never reuse your email password anywhere else

Common questions

Is it safe to type my real password here?

Yes — but a healthy habit is to never type a real password into any website you don't fully trust. This tool runs entirely in your browser with zero network requests, which you can verify in developer tools. If you're cautious, test a password with the same length and character pattern rather than the exact one.

How long should my password be?

At least 12 characters; 16+ for important accounts (email, banking, password manager). For a passphrase, aim for 4-5 random words. Length is the most reliable lever for strength.

Are special characters required?

They help by enlarging the character pool, but they matter less than length. A long passphrase without symbols can be far stronger than a short password with them. Add symbols if the site requires them, but don't rely on them as your main defense.

What is two-factor authentication?

A second proof of identity beyond your password — a code from an app, a hardware key, or a biometric. Even if your password leaks, an attacker can't log in without the second factor. Turn it on for every important account.

Should I change passwords regularly?

Modern guidance (including NIST) says no — forced periodic changes lead people to weak, predictable patterns. Instead, use a strong unique password per site and only change it if there's a known breach. A password manager makes this effortless.

What's the safest way to store passwords?

A reputable password manager (Bitwarden, 1Password, KeePass). It generates long random unique passwords, stores them encrypted, and fills them automatically. You only memorize one strong master password. Never store passwords in a plain text file or reuse them across sites.

Quick steps

1

Type a password

The analysis updates live as you type. Toggle the eye icon to show or hide what you've entered.

2

Read the strength meter

Five segments from very weak to very strong, based on entropy (the real measure of password strength).

3

Fix the weaknesses

The tool flags common patterns, leaked passwords, and missing character types, then suggests specific improvements.

Frequently asked questions

Is it safe to type my real password here?

Yes. The entire analysis runs in your browser using JavaScript. Your password is never sent over the network, never stored, and never logged. You can confirm this by checking the Network tab in your browser's developer tools — there are zero requests when you type.

What is password entropy?

Entropy measures unpredictability in bits. It's calculated from the character pool size and length: a longer password using more character types has higher entropy. Each additional bit doubles the number of guesses needed. 60+ bits is strong; 80+ is very strong.

How is crack time estimated?

We assume an offline attack against a stolen password database at 10 billion guesses per second — a realistic rate for modern GPUs against fast hashes. The time shown is roughly how long it would take to try half the possible combinations.

Why does length matter more than complexity?

Each extra character multiplies the number of possibilities far more than swapping a letter for a symbol. A 16-character lowercase passphrase is stronger than an 8-character password with symbols. Aim for length first.

What makes a password weak?

Common passwords (password, 123456), dictionary words, keyboard patterns (qwerty), sequential characters (abc, 123), repeated characters, and personal info like years or names. The tool detects all of these and penalizes the score.

Should I use a password manager?

Yes. The strongest approach is a password manager that generates and stores long, random, unique passwords for every site. Then you only memorize one strong master password. Reusing passwords is the single biggest real-world risk.