Done
HomePassword ToolsPassword Strength Checker

πŸ”’ Password Strength Checker

Analyze password strength, entropy, crack time estimation and get security tips β€” 100% private, client-side only.

Enter Password
Enter a password
Checking against common passwords…
Entropy β€”
0 bits 40 bits 80 bits 120+ bits
Analysis
0 Score
⚑ Estimated Crack Time
β€”
Enter a password to see crack time
0
Length
0
Uppercase
0
Lowercase
0
Digits
0
Symbols
0
Unique Chars
0
Char Pool
0
Entropy (bits)
Security Checklist
Scoring Breakdown
History
No passwords checked yet
Patterns to Avoid
❌ Sequential: 123456 , abcdef
❌ Keyboard: qwerty , asdfgh
❌ Repeats: aaaaaa , 111111
❌ Common words: password , admin
❌ Leet speak: p@ssw0rd
❌ Dates: jan2024 , 01/01/90
βœ… Use passphrases: 4+ random words
βœ… Mix case, digits, symbols
βœ… 16+ characters ideal
Privacy
βœ… 100% client-side β€” password never sent to any server
βœ… Analysis runs entirely in your browser

Password Security Guide

What is Entropy?

Password entropy measures how unpredictable a password is in bits. It's calculated as logβ‚‚(pool_size^length). 40+ bits = weak, 60+ bits = fair, 80+ bits = strong, 100+ bits = very strong.

Crack Time Explained

Crack time estimates assume a modern GPU can attempt ~10 billion hashes/second for offline attacks. Online attacks are typically throttled to ~1000/second. Salted hashes (bcrypt, Argon2) are much more resistant.

Passphrases

Four random words (e.g., "correct horse battery staple") can have 44+ bits of entropy and are easier to remember than complex 8-character passwords. Length matters more than complexity.

Best Practices

Use a unique password for every account. Enable 2FA wherever possible. Use a password manager (Bitwarden, 1Password) to generate and store strong passwords. Never reuse passwords.

Why Simple Strength Rules Fail β€” And What Actually Works
The classic "8+ chars, uppercase, number, symbol" rule gives a false sense of security. Here's what a real strength assessment looks at.
PasswordPasses typical rules?Actual crack time (GPU)Why
P@ssw0rd1!YesUnder 1 secondIt's in every wordlist. Pattern substitution (a→@, o→0) is hardcoded into crack tools.
Tr0ub4dor&3YesDecadesRandom words + substitution; harder than it looks, but not as good as truly random.
correct horse battery stapleNo (no uppercase/symbol)Hundreds of years4 random common words = ~44 bits of entropy from an attacker guessing word combinations.
aB3#aB3#aB3#YesMinutesRepeating pattern. Pattern detection scores this much lower than naive length Γ— character-set math.
mY p@$$w0rd IS my d0g's n@me fluffyYesYears (but guessable if dog known)Entropy is good but it's personally guessable. Targeted attacks beat random brute force.
28 random chars (a–z, A–Z, 0–9, symbols)YesHeat death of the universe~184 bits of entropy. No wordlist, no pattern.
What Goes Into a Real Entropy Estimate
Naive entropy = log2(charset size) Γ— length. Real entropy accounts for what an attacker knows about how humans choose passwords.
Dictionary attacks are the primary threat

Offline cracking tools like Hashcat don't start with random character combinations. They start with wordlists β€” billions of leaked real passwords, dictionary words, names, dates, keyboard patterns β€” and apply mutation rules (append numbers, substitute symbols, capitalise first letter). If your password was constructed by a human without a generator, it's likely to have structure that appears in these rules.

zxcvbn β€” a better algorithm than rules

Dropbox's open-source zxcvbn library estimates crack time using pattern matching against real wordlists rather than character-class rules. It recognises that P@ssw0rd is weak regardless of its character mix, and that a 4-word random phrase is strong. NIST 800-63B explicitly endorses this type of approach over complexity rules.

Entropy bits explained simply

If a password has 40 bits of entropy, an attacker who knows exactly your method (e.g., "random characters from lowercase + digits") needs on average 239 β‰ˆ 550 billion guesses to find it. At 1 trillion guesses/second (current GPU performance), that's about 9 minutes. At 60 bits, it's 36,000 years at the same rate.

Context matters: online vs offline attack

An online attack against a login form is rate-limited to maybe 10–100 guesses per second by server-side throttling. An offline attack against a leaked hash database runs at GPU speeds. A password strong enough for an online form (30 bits) is trivially cracked if the hash leaks. Design for the worst case: offline cracking.

Personal information is always guessable

Targeted attacks β€” against a specific person β€” use name, birthday, pet names, sports teams, address, alma mater. Automated tools now scrape social media to personalise their wordlists. No amount of complexity rules saves a password like London2012! when an attacker knows you're British and love football.

The checker sees the structure, not the secret

Strength checkers (including this one) never send your password anywhere. Everything runs locally in your browser. The feedback is based on pattern analysis of the password's structure β€” same analysis a cracking tool would do β€” not on checking against a specific leaked database. For breach checking, this tool uses the HaveIBeenPwned k-anonymity API which only sends a 5-character hash prefix, not the password.

Related Tools
Other free security and hashing tools on IndexCraft.
🔒SHA Hash Generator

SHA-1, SHA-256, SHA-512 with file support.

 🧬Hash Generator

MD5, SHA-1, SHA-256, SHA-384, SHA-512 side by side.

 🔑HMAC Generator

Sign messages with a secret key using HMAC.

 📝MD5 Generator

Fast MD5 checksums for files and strings.

 🔄Password Generator

Cryptographically random passwords and passphrases.

 📊Password Strength Checker

Entropy score, crack time, and HaveIBeenPwned check.

 🧵Bcrypt Explainer

Decode bcrypt hashes and understand cost factors.
Questions About Password Security
Only if it runs locally. This tool does β€” all analysis runs in your browser with no network calls for the strength check itself. That said, as a general rule: be cautious about typing production passwords anywhere except their actual login page. A well-intentioned tool that gets compromised (or a phishing clone of one) would silently harvest entered passwords. If you're paranoid, test with a password of similar structure β€” same length, same character mix β€” rather than the real one.
It's the estimated time to crack the password in an offline attack, assuming the attacker knows your password generation method (worst case) and has access to a modern GPU rig running at roughly 10–100 billion guesses per second depending on the hashing algorithm used. The number is an order-of-magnitude estimate, not a precise figure. "Centuries" means practically immune to brute force; "minutes" means the password is predictable enough to appear in a wordlist or rule mutation set.
NIST 800-63B recommends a minimum of 8 characters but notes that longer is better and allows up to 64 characters. For any account you care about β€” email, banking, password manager master password β€” a minimum of 16 random characters or 6 random words. For the master password of your password manager specifically, use 20+ characters or 7+ words and memorise it. That's the one password a key logger on your system would capture.
Strength scores measure how hard a password is to guess by brute force β€” they don't know your password has been exposed. A password that scored "very strong" in 2015 but was stored in plain text (or badly hashed) by a service that was breached is now worthless regardless of its theoretical strength. The HaveIBeenPwned check in this tool addresses this by checking the actual password against a database of over 800 million real compromised passwords. A strong password that appears in that database should be changed immediately.