BrowserTools
Advertisement
Home / Validators / Password Strength Checker

Password Strength Checker

Test how strong a password is: entropy, estimated crack time and a clear checklist, all checked locally in your browser.

Maintained by BrowserTools · Last updated 2026-06-06

A password strength checker estimates how hard a password would be to guess. This one measures the password's entropy in bits, converts that into an estimated time for an offline attacker to crack it, and shows a plain checklist of what is good and what is missing. It updates as you type and runs entirely in your browser, so the password you test is never transmitted or stored anywhere.

Loading Password Strength Checker… If nothing happens, please enable JavaScript.

Frequently asked questions

Is my password sent anywhere?
No. The entire analysis runs locally in your browser with JavaScript. Your password is never transmitted, logged or stored, which is exactly why a strength checker should run client-side. You can disconnect from the internet and it still works.
What does 'entropy in bits' mean?
Entropy measures how many guesses an attacker would need on average. Each extra bit doubles that number. It is calculated as the password length multiplied by the log base 2 of the character-set size. As a rough guide, under 28 bits is very weak, around 60 bits is reasonable, and 80 bits or more is strong against offline attacks.
Why is a long passphrase often stronger than a complex short password?
Because length contributes to entropy more reliably than special characters. Four or five random words can exceed 60 bits of entropy while remaining easy to remember, whereas a short 'P@ss1' is both low-entropy and hard to recall. Length is the single biggest lever you control.
How is the crack time estimated?
It assumes an offline attacker trying about ten billion guesses per second against a fast hash, then divides the number of possible combinations by that rate. It is an order-of-magnitude estimate. A slow password hash (bcrypt, scrypt, Argon2) makes real attacks dramatically slower, and online services usually rate-limit guesses.
The checker says my password is strong. Is it safe to reuse?
No. Strength only protects against guessing. If you reuse a password and any one site is breached, attackers will try that same password everywhere (credential stuffing). Use a unique password for every account, regardless of how strong each one is.
Why are sequences and repeats penalised?
Attackers do not guess randomly; they try dictionaries, keyboard patterns and predictable substitutions first. 'abc123' or 'aaa' have far less real-world strength than their raw character count suggests, so the checker lowers their score to reflect how an attacker would actually approach them.

About Password Strength Checker

Strength is mostly about entropy, not about ticking boxes. Entropy is calculated from the length of the password and the size of the character set it draws on (lowercase adds 26 possibilities per character, uppercase another 26, digits 10, symbols roughly 33). Longer beats more complex: a long passphrase of ordinary words usually has more entropy, and is far easier to remember, than a short string of random symbols. The checker also penalises weaknesses that raw entropy misses, such as being a known common password, containing a straight sequence like 'abc' or '123', or repeating the same character three or more times.

The crack-time estimate assumes a realistic offline attack of about ten billion guesses per second against a fast hash. That is a useful yardstick, but treat it as an order of magnitude rather than a promise: a slow hash like bcrypt makes attacks far slower, while a leaked plaintext database makes any password worthless. The strongest single habit is a long, unique password per site, ideally generated and stored by a password manager.

The password advice that changed

For years official guidance pushed complexity rules: at least one uppercase letter, one digit, one symbol, and a forced change every 90 days. In 2017 the US National Institute of Standards and Technology (NIST) reversed much of that in its Special Publication 800-63B. The research showed that forced complexity nudged people toward predictable patterns like 'Password1!' and that scheduled expiry made them pick weaker, incrementing variants.

The modern recommendation is simpler: favour length, allow long passphrases and spaces, screen new passwords against lists of known-breached ones, and stop forcing routine changes unless there is evidence of compromise. The famous xkcd comic 'correct horse battery staple' captured the idea years earlier: four random common words are easy for a human to remember and hard for a computer to guess, which is the whole game.

Related tools

Password & Passphrase Generator

Generate strong random passwords and memorable passphrases locally, fully customizable.

Hash Generator (SHA-1, SHA-256, SHA-384, SHA-512)

Compute cryptographic hashes of text or files locally, SHA-1, SHA-256, SHA-384 and SHA-512.
Advertisement