Password strength checker
Type a password, see entropy, score, estimated cracking time, and what to fix — privately, in your browser.
Type a password above. The check happens live as you type.
How real password strength is measured
Strength is measured in entropy — how many bits of unpredictable information the password contains. A password with 60+ bits of entropy is computationally infeasible to crack in any reasonable timeframe; a 30-bit password falls in seconds on a modern GPU.
Charset alone doesn't make a strong password. “Tr0ub4dor&3” uses every character class — upper, lower, digit, symbol — and still has only ~28 bits of practical entropy because the substitutions follow predictable patterns. Length matters more than complexity. Four random common words (“correct horse battery staple”) clear 44 bits of entropy and are easier for humans to remember.
Why “cracking time” estimates vary so much
Three different attack scenarios in the table above:
- Online attack (1k guesses/sec) — guessing against a live login form. Realistically much slower because servers rate-limit, often to 5 guesses/min.
- Single GPU offline (10 billion guesses/sec) — attacker has the password hash (from a breach) and is brute-forcing on a high-end consumer GPU. The most relevant scenario for evaluating real-world password strength.
- Datacenter (10 trillion guesses/sec) — nation-state or organized crime with thousands of GPUs. Rare for individual targets; relevant for protecting critical infrastructure or high-value financial accounts.
How to actually create a strong password
- Use a password manager. 1Password, Bitwarden, KeePass — pick one and let it generate 20+ character random passwords for every account. You only need to remember the master.
- For passwords you must memorize (the manager itself, your laptop login), use 4-5 random words strung together. “chair-comet-velvet-margin” beats “P@ssw0rd!”.
- Enable two-factor authentication everywhere it's offered. Even a weak password becomes hard to abuse when paired with a TOTP token.
- Never reuse passwords across accounts. One breach becomes every-account breach.
FAQ
Is it actually safe to type my password into this tool?
Yes — and you can verify by viewing the page source. There's no fetch() call, no XHR, no service worker. The entire calculation runs in JavaScript in your browser. We say so because most 'secure password checker' sites online claim privacy and many of them lie.
What's the minimum length you should use?
12 characters for general-use accounts (email, social, work logins). 16+ for sensitive accounts (banking, password manager master). 20+ for crypto wallets or anything where a breach is unrecoverable.
Why does the tool warn about all-numeric passwords?
PINs and number-only passwords have only 10 possible characters per position, so they have far less entropy than the same length with mixed characters. A 16-digit number has about 53 bits of entropy; a 16-character mixed password has 105. PINs are fine for low-stakes contexts (phone unlock with a wipe-after-N-attempts policy) but bad for anything else.
What if I use the same password but add 1 / 2 / 3 to the end?
Catastrophically bad practice. Once one is breached, attackers automatically try variants. Use unique passwords per account — let your password manager handle it.
Why is 'password123' weak even though it has 11 characters?
It's in every common-password list ever published. Attackers try those first, in milliseconds. Adding numbers to the end doesn't help — the pattern is too well-known. Avoid words from any common list, even with substitutions.
Will my password be saved?
No. We don't log it, don't store it, and never send it anywhere. The entire check runs in your browser.
Get the full Web Design Service workspace.
Want this monitored daily across all your projects? Sign up free.