What makes a password strong?

A strong password is long, difficult to guess, and not based on common words, leaked passwords, personal details, or obvious keyboard patterns. Length and randomness usually matter more than forced symbol substitutions.

Does this password checker send my password to a server?

No. The checker runs in your browser and estimates strength locally. For maximum safety, avoid entering real production passwords into any website.

Are crack-time estimates exact?

No. Crack-time estimates are educational approximations. Real attacker speed depends on the hash algorithm, hardware, rate limits, password reuse, breach data, and the guessing strategy.

Security Analysis Tool

Password Strength Checker

Estimate password entropy, identify weak patterns, and compare crack-time assumptions in your browser.

Use the checker for education and sample policy testing, then rely on a password manager for real account credentials.

Start Checking How It Works References FAQ Related Tools

Estimate password strength locally in your browser using length, character variety, entropy, and pattern checks.

Password

This tool runs locally. Do not paste a real account password into any web page unless you trust the environment.

Strength

Waiting for input

Score

0/100

Estimated Entropy

0.0 bits

Online Guessing

N/A

Fast Offline Guessing

N/A

Checks

At least 12 characters

At least 16 characters

Uppercase and lowercase letters

Contains a number

Contains a symbol

Avoids common passwords

Avoids obvious sequences

Avoids long repeated characters

Recommendations

Use 16 or more characters for important accounts.
Mix uppercase and lowercase letters.
Add numbers that are not simple dates or sequences.
Add a symbol if the service allows it.
Consider a randomly generated password or a 4-6 word passphrase stored in a password manager.

How Password Strength Checking Works

Password strength checking estimates how many guesses an attacker may need before finding a password. A simple brute-force model uses the size of the character set and the password length, but real attackers do not guess uniformly at random.

Practical guessing starts with leaked password lists, dictionary words, keyboard paths, years, substitutions such as a for @, and repeated characters. This tool combines a basic entropy estimate with pattern checks so weak human habits are not treated as truly random.

The crack-time estimates are intentionally approximate. Online systems may limit guesses to a few attempts per minute, while offline attackers with stolen password hashes can test large numbers of guesses if weak or fast hashing was used.

Length

Every extra random character increases the search space. A long passphrase often beats a short password with predictable substitutions.

Randomness

Attackers try common passwords, names, keyboard walks, and substitutions before brute force. Human-made patterns lower real strength.

Hashing context

Offline attacks against fast hashes are very different from online login attempts protected by rate limits and lockouts.

History and Modern Guidance

Early password advice often required short passwords with uppercase letters, digits, and punctuation. That created many predictable variants such as Password1!, which attackers learned to try early.

Modern guidance focuses more on length, resistance to known breached passwords, throttled online guessing, and secure password storage. NIST guidance also discourages arbitrary periodic password changes unless there is evidence of compromise.

For applications, password strength checking is only one layer. Passwords should be hashed with a dedicated password-hashing function, protected by multi-factor authentication where appropriate, and never stored or logged in plaintext.

Use Cases

Password policy testing

Check whether a sample password policy rewards length and avoids obvious weaknesses.

Security education

Demonstrate why password123, keyboard walks, and repeated characters are easier to guess than random passphrases.

Passphrase comparison

Compare memorable passphrase samples against shorter complex-looking passwords.

Password Strength Checker

Checks

Recommendations

How Password Strength Checking Works

Length

Randomness

Hashing context

History and Modern Guidance

Use Cases

Password policy testing

Security education

Passphrase comparison

Authoritative References

Password Strength FAQ

Checks

Recommendations

Password Strength Checker

Checks

Recommendations

How Password Strength Checking Works

Length

Randomness

Hashing context

History and Modern Guidance

Use Cases

Password policy testing

Security education

Passphrase comparison

Authoritative References

Password Strength FAQ

Should I paste my real password here?

Why can a long passphrase score better than a short symbol-heavy password?

What does entropy mean?

Does this replace password hashing tools?

Related Security Tools

Checks

Recommendations