Password Strength Checker.
Paste any password to instantly see its entropy, estimated crack time, and a detailed breakdown of what makes it strong or weak — all processed locally in your browser.
Type a password above to see its strength analysis.
Criteria
- At least 8 characters
- At least 12 characters
- Contains uppercase letters (A–Z)
- Contains lowercase letters (a–z)
- Contains numbers (0–9)
- Contains symbols (!@#$…)
Why check your password strength?
Most data breaches exploit weak or reused passwords. A strength checker reveals the exact vulnerabilities in a password — its entropy, missing character types, and estimated time to crack — so you can fix them before an attacker exploits them.
Entropy-based scoring: Measures true cryptographic strength in bits, not just pattern matching — giving you an accurate picture of how hard your password is to crack.
Instant crack time estimate: Translates abstract entropy values into real-world crack times, so you understand the practical risk at a glance.
Fully private: Your password never leaves your browser. There are no server requests, no logging, and no storage of any kind.
How to check your password strength
Type or paste your password: Enter the password you want to check in the input field above.
Read the strength meter: The 5-bar meter and label (Very Weak → Very Strong) give you an instant overview of overall strength.
Check the entropy and crack time: Entropy in bits tells you how many guesses it would take to crack the password; the crack time translates that to a human-readable estimate.
Fix what's missing: Use the criteria checklist to see exactly which character types are absent, then strengthen your password or generate a new one.
Frequently Asked Questions
What is password entropy?
Entropy measures password unpredictability in bits. It is calculated as length × log₂(charset size). A higher number means more possible combinations and a harder-to-crack password. Security experts generally recommend at least 60 bits for everyday accounts.
How is crack time estimated?
The crack time estimate is based on entropy thresholds that correspond to the number of guesses a modern offline attack can attempt per second (typically billions). It is a rough estimate intended to give a practical sense of risk, not a precise prediction.
Is my password sent to a server?
No. All analysis happens entirely in your browser using JavaScript. Your password never leaves your device — there are no network requests, no logging, and no storage.
Why does a long password with only lowercase letters score lower than a shorter mixed password?
Entropy depends on both length and charset size. A lowercase-only password uses a 26-character alphabet, while a mixed password uses up to 90 characters. Adding character types multiplies the search space far more than adding a few extra characters.
What entropy level is considered strong?
Below 28 bits is very weak and crackable instantly. 28–60 bits is weak to fair. 60–128 bits is strong for most purposes. Above 128 bits is considered very strong and resistant to all known attacks.
Does a high score mean my password is safe to use everywhere?
Strength is only one factor. A strong but reused password is still vulnerable if another site is breached. Always use a unique password for every account and consider a password manager to keep track of them.
What should I do if my password is weak?
Use our Password Generator to create a cryptographically secure password with your preferred length and character set. Aim for at least 16 characters with uppercase, lowercase, numbers, and symbols.