Toolerax logoToolerax

Password Strength Checker

Entropy, crack time & weakness checks.

100% private — runs in your browser, nothing is uploaded.

Checked 100% locally — the password is never transmitted, logged or stored. Crack times are order-of-magnitude estimates assuming the attacker must brute-force.

How to use the Password Strength Checker

  1. 1
    Type a password

    Analysis runs locally — nothing is sent anywhere.

  2. 2
    Read the verdict

    Strength score, entropy bits and the meter update live.

  3. 3
    Check the crack times

    See both online and offline attack estimates.

  4. 4
    Fix the gaps

    The checklist shows exactly what the password is missing.

Examples

InputOutput
password123Very weak — common password
T7#kPz!qL2mW9$vXVery strong — centuries offline

Test password strength — without sending it anywhere

This password strength checker estimates how resistant a password is to real attacks: it computes entropy from length and character variety, flags common passwords, repeated characters and keyboard sequences, and translates the math into crack-time estimates for both a throttled online attacker and an offline GPU rig. Everything runs locally in your browser.

Length beats cleverness

Substituting @ for a is in every attacker's rulebook, but every extra character multiplies the search space by the whole alphabet size. That's why the checker weighs length heavily and why a four-word passphrase outperforms a short symbol-studded string. The two crack-time cards make the difference tangible — a password that survives an online attack for years can still fall to an offline attack in minutes.

From checking to fixing

The checklist shows exactly which ingredient is missing. When the verdict is weak, don't patch the old password — replace it: the password generator creates strong random ones, and our guide on creating strong passwordsexplains the passphrase approach. Use a unique password per site — a breach of one service shouldn't unlock the rest of your life.

Frequently Asked Questions

Is it safe to type my password into this checker?

Yes — the analysis runs entirely in your browser with JavaScript. The password is never transmitted, logged or stored. You can even load the page and disconnect from the internet before typing. Still, testing a similar password rather than your exact one is a reasonable habit.

What makes a password strong?

Length first, then variety. Each extra character multiplies the search space far more than adding a symbol does. A 16-character phrase of random words beats an 8-character P@ssw0rd!-style string easily.

What is password entropy?

A measure of unpredictability in bits: length × log2(alphabet size) for random passwords. Every added bit doubles the guesses an attacker needs. Around 60+ bits is a practical 'strong' threshold against offline attacks.

Why are there two crack-time estimates?

An online attacker guessing through a login form is throttled to perhaps thousands of tries per second; an offline attacker with a stolen password database and GPUs manages billions. The offline number is the one that should worry you.

Are the crack times exact?

No — they're order-of-magnitude estimates assuming brute force. Real attackers try dictionaries and known leaks first, which is why the checker heavily penalizes common passwords and keyboard sequences regardless of length.

What should I do if my password rates weak?

Generate a new one with our password generator (or use a password manager), make it 16+ random characters or a multi-word passphrase, and never reuse it across sites.

From the blogHow Password Strength Is MeasuredWhat entropy bits mean, why length beats symbols, how online and offline attacks differ by a factor of ten million, and why P@ssw0rd! fools no one.Read the full guide

Related tools