Password Strength Checker
Analyze your password's strength — entropy score, crack time estimate, and specific improvement tips. Your password never leaves your browser.
About the Password Strength Checker
This tool analyzes a password's strength by computing its entropy — a measure of unpredictability in bits. Entropy is calculated as log₂(poolSize^length), where pool size is the number of unique characters in the character classes used. A 12-character password using all four character classes (lower, upper, digits, symbols) has a pool of ~94 characters and approximately 79 bits of entropy.
The crack time estimate assumes an offline brute-force attack at 10 billion hashes per second — a realistic figure for a GPU cluster attacking a fast hash. Against bcrypt or Argon2 with proper parameters, actual crack times would be millions of times longer. The estimate here represents the worst-case scenario: a leaked fast hash.
Your password is analyzed entirely in your browser using JavaScript. It is never stored, logged, or transmitted. As a rule of thumb: aim for at least 12 characters with mixed character classes, or use a passphrase of 4+ random words (e.g., correct-horse-battery-staple) for something both strong and memorable.
Frequently Asked Questions
What is password entropy?
Entropy (measured in bits) quantifies how unpredictable a password is. Each additional bit doubles the number of guesses required. 40 bits = ~1 trillion combinations; 60 bits = ~1 quintillion. A good password should have at least 60–80 bits of entropy.
Why does length matter more than complexity?
Adding one character multiplies the search space by the pool size. A 20-character lowercase-only password has more entropy than a 10-character mixed-case password. Length scales exponentially; complexity scales linearly. The best passwords are long and complex.
Is a passphrase better than a random password?
Yes, for human-memorized passwords. Four random common words (e.g., tree-lamp-river-cloud) give ~50 bits of entropy and are easy to remember. Six words give ~77 bits — stronger than most random complex passwords, and far more memorable.
What makes a password "commonly known"?
This tool checks against a list of the most frequently used passwords (e.g., password, 123456, qwerty). Real attackers use dictionaries of millions of known passwords — these are tried before brute force. Any word from a dictionary or pop culture reference is at risk.