Password Strength Checker
Entropy, crack time & weakness checks.
100% private — runs in your browser, nothing is uploaded.
Checked 100% locally — the password is never transmitted, logged or stored. Crack times are order-of-magnitude estimates assuming the attacker must brute-force.
How to use the Password Strength Checker
- 1Type a password
Analysis runs locally — nothing is sent anywhere.
- 2Read the verdict
Strength score, entropy bits and the meter update live.
- 3Check the crack times
See both online and offline attack estimates.
- 4Fix the gaps
The checklist shows exactly what the password is missing.
Examples
| Input | Output |
|---|---|
password123 | Very weak — common password |
T7#kPz!qL2mW9$vX | Very strong — centuries offline |
Test password strength — without sending it anywhere
This password strength checker estimates how resistant a password is to real attacks: it computes entropy from length and character variety, flags common passwords, repeated characters and keyboard sequences, and translates the math into crack-time estimates for both a throttled online attacker and an offline GPU rig. Everything runs locally in your browser.
Length beats cleverness
Substituting @ for a is in every attacker's rulebook, but every extra character multiplies the search space by the whole alphabet size. That's why the checker weighs length heavily and why a four-word passphrase outperforms a short symbol-studded string. The two crack-time cards make the difference tangible — a password that survives an online attack for years can still fall to an offline attack in minutes.
From checking to fixing
The checklist shows exactly which ingredient is missing. When the verdict is weak, don't patch the old password — replace it: the password generator creates strong random ones, and our guide on creating strong passwordsexplains the passphrase approach. Use a unique password per site — a breach of one service shouldn't unlock the rest of your life.
Frequently Asked Questions
Is it safe to type my password into this checker?
Yes — the analysis runs entirely in your browser with JavaScript. The password is never transmitted, logged or stored. You can even load the page and disconnect from the internet before typing. Still, testing a similar password rather than your exact one is a reasonable habit.
What makes a password strong?
Length first, then variety. Each extra character multiplies the search space far more than adding a symbol does. A 16-character phrase of random words beats an 8-character P@ssw0rd!-style string easily.
What is password entropy?
A measure of unpredictability in bits: length × log2(alphabet size) for random passwords. Every added bit doubles the guesses an attacker needs. Around 60+ bits is a practical 'strong' threshold against offline attacks.
Why are there two crack-time estimates?
An online attacker guessing through a login form is throttled to perhaps thousands of tries per second; an offline attacker with a stolen password database and GPUs manages billions. The offline number is the one that should worry you.
Are the crack times exact?
No — they're order-of-magnitude estimates assuming brute force. Real attackers try dictionaries and known leaks first, which is why the checker heavily penalizes common passwords and keyboard sequences regardless of length.
What should I do if my password rates weak?
Generate a new one with our password generator (or use a password manager), make it 16+ random characters or a multi-word passphrase, and never reuse it across sites.