Helpful Toolbox

Password Strength Checker

Type a password to see its entropy in bits, a very-weak-to-very-strong rating, estimated crack times for online and offline attacks, and concrete tips to make it stronger. Everything runs locally in your browser โ€” your password never leaves this page.

๐Ÿ“– How it works & FAQ

How password entropy works

This checker rates passwords the way security engineers do: by entropy. It looks at which character types you use — lowercase (26), uppercase (26), digits (10), and symbols (33 by default, editable above) — adds them into a pool, then computes bits of entropy as length × log₂(pool size). A password drawn from a pool of 62 characters gains about 5.95 bits per character, so length matters far more than any single clever substitution. The rating bands follow common guidance: under 28 bits is very weak, 28–35 weak, 36–59 fair, 60–127 strong, and 128+ very strong.

Crack time estimates you can tune

Crack time is the average case: half the total keyspace (2 to the power of entropy, divided by two) divided by guesses per second. Both attack rates are editable. The default online rate of 1,000 guesses/sec models an attacker hammering a login form; the offline rate of 10 billion guesses/sec models someone who stole a database of fast hashes and is running GPUs against it. Raise or lower either number to match your threat model. These are mathematical estimates — real attackers use wordlists and patterns, so a "strong" password built from a famous quote can fall much faster than the math implies. The tips list flags common words, sequences, and repeats for exactly that reason.

How to use it

  1. Type or paste a password into the field. Results update live as you type.
  2. Switch Display to Visible if you want to see what you typed.
  3. Adjust the symbol pool size or attack rates if your threat model differs from the defaults.
  4. Read the entropy, rating, and crack times, then apply the improvement tips until you reach Strong or better.

FAQ

Is my password sent to a server?
No. Every calculation runs in JavaScript inside your browser. Nothing is transmitted, logged, or stored — you can even load the page and then go offline before typing.
Why does adding one character help so much?
Each character multiplies the keyspace by the pool size. Going from 10 to 14 characters in a 62-character pool multiplies the attacker's work by roughly 14.8 million.
My password rates Strong — is it definitely safe?
Entropy assumes randomness. If your password is a dictionary word, a date, or reused from another site, it is weaker than its score. Unique, random, and long beats clever every time.
What should I actually use?
A password manager generating 16+ random characters per site, or a passphrase of four to five random words, plus two-factor authentication wherever it's offered.