Password Strength Checker
Type a password to see its entropy in bits, a very-weak-to-very-strong rating, estimated crack times for online and offline attacks, and concrete tips to make it stronger. Everything runs locally in your browser โ your password never leaves this page.
๐ How it works & FAQHow password entropy works
This checker rates passwords the way security engineers do: by entropy. It looks at which character types you use — lowercase (26), uppercase (26), digits (10), and symbols (33 by default, editable above) — adds them into a pool, then computes bits of entropy as length × log₂(pool size). A password drawn from a pool of 62 characters gains about 5.95 bits per character, so length matters far more than any single clever substitution. The rating bands follow common guidance: under 28 bits is very weak, 28–35 weak, 36–59 fair, 60–127 strong, and 128+ very strong.
Crack time estimates you can tune
Crack time is the average case: half the total keyspace (2 to the power of entropy, divided by two) divided by guesses per second. Both attack rates are editable. The default online rate of 1,000 guesses/sec models an attacker hammering a login form; the offline rate of 10 billion guesses/sec models someone who stole a database of fast hashes and is running GPUs against it. Raise or lower either number to match your threat model. These are mathematical estimates — real attackers use wordlists and patterns, so a "strong" password built from a famous quote can fall much faster than the math implies. The tips list flags common words, sequences, and repeats for exactly that reason.
How to use it
- Type or paste a password into the field. Results update live as you type.
- Switch Display to Visible if you want to see what you typed.
- Adjust the symbol pool size or attack rates if your threat model differs from the defaults.
- Read the entropy, rating, and crack times, then apply the improvement tips until you reach Strong or better.
FAQ
- Is my password sent to a server?
- No. Every calculation runs in JavaScript inside your browser. Nothing is transmitted, logged, or stored — you can even load the page and then go offline before typing.
- Why does adding one character help so much?
- Each character multiplies the keyspace by the pool size. Going from 10 to 14 characters in a 62-character pool multiplies the attacker's work by roughly 14.8 million.
- My password rates Strong — is it definitely safe?
- Entropy assumes randomness. If your password is a dictionary word, a date, or reused from another site, it is weaker than its score. Unique, random, and long beats clever every time.
- What should I actually use?
- A password manager generating 16+ random characters per site, or a passphrase of four to five random words, plus two-factor authentication wherever it's offered.