Password Strength Checker
Test how strong a password is. See its estimated entropy, a Weak to Strong rating, specific ways to improve it, and a rough time-to-crack. Everything runs in your browser, so the password is never sent or stored.
About the Password Strength Checker
The Password Strength Checker estimates how hard a password is to guess. It measures the password's length and the size of the character pool it uses, calculates the entropy in bits, and maps that to a Weak, Fair, Good, or Strong rating. It also lists specific ways to make the password stronger and shows a rough time to crack under different attack speeds. Every check runs in your browser with plain JavaScript, so the password is never sent to a server, saved, or logged.
How it works
- Type a password into the input. Use the eye button to show or hide what you typed.
- Watch the colored bar and rating update as you type, along with the entropy in bits and the character pool size.
- Read the time-to-crack estimates for online and offline attack speeds to gauge real-world risk.
- Follow the suggestions to fix weak spots, such as adding length, more character types, or removing common patterns.
Features
- Entropy estimate in bits, based on password length and the character pool used.
- Weak, Fair, Good, and Strong rating with a colored meter.
- Specific feedback: add length, add uppercase, add numbers, add symbols, and avoid common patterns or repeats.
- Time-to-crack estimates for throttled online, fast online, and offline hash attacks.
- Show and hide toggle, with all checks running in your browser and nothing sent anywhere.
Frequently asked questions
Is my password sent or stored anywhere?
No. The password stays in your browser. Every check runs locally in JavaScript, and nothing is uploaded, saved, or logged. You can confirm this by watching the Network tab in your browser while you type.
How is the strength calculated?
The tool counts the password length and the size of the character pool it draws from (lowercase, uppercase, numbers, and symbols). It computes entropy as length times the base-2 logarithm of the pool size, then maps the bits to a rating. Common passwords are flagged as weak regardless of entropy.
What does the time to crack mean?
It is a rough estimate of how long an attacker would need to guess the password by brute force at a given speed. It assumes the average case of searching half the keyspace and shows several speeds, from throttled online attempts to fast offline hash cracking.
Why is my long password still rated low?
Length alone is not enough. A password that is a common word, uses only one character type, repeats a character many times, or contains a keyboard run like qwerty has low entropy and is easy to guess. Mixing character types and avoiding predictable patterns raises the rating.
Should I type my real password here?
Because the tool runs entirely in your browser and sends nothing, testing a password here is safe. If you prefer, test a password built the same way as your real one to gauge the rating without entering the exact value.