Password Strength Checker

How the Password Strength Checker Works

Type a password to get an instant strength score from 0 (Very Weak) to 4 (Very Strong). The score is based on length, character diversity (uppercase, lowercase, digits, symbols), and detection of common patterns or sequential characters. Short passwords with no variety almost always score 0 or 1.

The estimated crack time is calculated from the password's entropy (information content) assuming an attacker using a modern GPU at 10 billion guesses per second. All analysis happens locally in your browser — your password isn't transmitted anywhere.

What Makes a Password Strong?

Length is the single most important factor. Every additional character multiplies the search space by the size of the character set. A 12-character random password drawn from 72 possible characters (lowercase + uppercase + digits + symbols) has 72¹² ≈ 19 quadrillion combinations; the same charset at 8 characters gives 72⁸ ≈ 7 trillion — 2,700× fewer guesses needed. NIST SP 800-63B (updated 2024) formally recommends length over complexity: mandatory rules requiring uppercase, symbols, and frequent rotation are no longer recommended. What matters is length and uniqueness per site.

Entropy is measured in bits. 128 bits of entropy is considered sufficient for long-term security against any foreseeable attack. A truly random 20-character password using only lowercase letters (26-character set) gives log₂(26²⁰) ≈ 94 bits — already very strong. Common patterns to avoid: keyboard walks (qwerty, 12345), dictionary words, personal information (birthdays, names), and leetspeak substitutions (p@ssw0rd) — these are all preloaded in attacker wordlists and add almost no security.

Passphrases (four random common words, Diceware-style) give roughly 44–52 bits of entropy — weaker than a short fully random password but far more memorable. A passphrase like “correct horse battery staple” is 28 characters and beats most short complex passwords in both length and memorability. Use a passphrase for accounts you must type regularly; use a random generated password (stored in a manager) for everything else.

Related tools: Password Generator — generate a cryptographically secure random password or passphrase instantly.

Entropy Explained: Bits and What They Buy You

Password entropy measures unpredictability in bits — specifically, the base-2 logarithm of the total number of possible passwords of a given structure. 10 bits of entropy means 2¹⁰ = 1,024 possible combinations. 20 bits means ~1 million. 40 bits means ~1 trillion. 80 bits means roughly 1.2 × 10²⁴ — at 10 billion guesses per second (a capable offline GPU rig), exhausting that search space would take over 3.8 million years. In practice, 80 bits of true entropy is effectively uncrackable by any foreseeable hardware.

Character set size determines the entropy per character: a password using only lowercase letters draws from 26 characters, giving log₂(26) ≈ 4.7 bits per character. Adding uppercase doubles the set to 52 characters: log₂(52) ≈ 5.7 bits per character — 1 bit of gain per character. Adding digits (62 total): log₂(62) ≈ 5.95 bits. Adding 32 common symbols (94 total): log₂(94) ≈ 6.55 bits. The math reveals why length matters far more than complexity: going from 10 to 16 characters at 4.7 bits each gains 28.2 bits of entropy; adding a symbol set to a 10-character lowercase password gains only 18.5 bits.

These entropy figures assume true randomness — every character independently chosen with equal probability from the full character set. Patterns collapse entropy drastically. A password like 'Summer2024!' is 11 characters with uppercase, digits, and a symbol, suggesting a character-set entropy of ~72 bits. But in practice it has near-zero structural entropy: 'Summer' is in every attacker's dictionary, '2024' is the current year, and '!' is the most common symbol appended to dictionary words. Effective entropy is perhaps 15–20 bits — an attacker using rule-based mutation wordlists cracks it in seconds.

NIST SP 800-63B uses entropy as a conceptual framework but explicitly warns against using character-composition rules as a proxy for entropy, because users predictably satisfy composition rules with low-entropy patterns (capitalize the first letter, append ! at the end, substitute 0 for o). The checkers showing a green checkmark for 'has uppercase, digit, and symbol' are measuring necessary conditions for entropy, not entropy itself. This tool shows both the raw bits estimate and the pattern detections that reduce effective entropy.

Common Patterns That Wreck Password Strength

Keyboard walks are among the first sequences attackers try: qwerty, asdf, zxcv, 1234, and their variants (qwerty123, Qwerty1!). They appear strong visually — 9+ characters with varied case and digits — but are trivially in attacker wordlists as keyboard adjacency patterns. Any sequence of three or more adjacent keys in a standard QWERTY layout is flagged by this checker. The fix is trivial: if you're going left-to-right on the keyboard, you're not generating a password.

Leetspeak substitutions add very little real entropy. Substituting 3 for e, 0 for o, @ for a, 1 for l, or $ for s adds at most 5–6 bits of entropy for the entire transformation (because there are only a handful of common substitution rules, and attackers preload them all). 'p@ssw0rd' is cracked in the same time as 'password' by any modern attacker tool — these substitutions have been in wordlists since the early 2000s. The checker's pattern list includes l33t-speak deleetification, so these substitutions are detected and reported.

Dictionary words reduce entropy to the size of the dictionary, not the character set. English has roughly 170,000 words in active use; an attacker's password dictionary typically has 5–20 million entries (words, names, phrases, previous breach passwords). Even obscure words like 'zymurgy' or 'quorum' are in these lists. A 10-character password made from one obscure word plus two digits has effective entropy of log₂(20,000,000 × 100) ≈ 31 bits — crackable in seconds at offline GPU speeds.

Dates and years are extremely common and extremely guessable. Birthdates, anniversaries, graduation years, and the current year are all in attacker rule sets. Formats detected: DDMMYYYY, MMDDYYYY, YYYYMMDD, YYYY, and two-digit year variants. If your password ends in a year (Password2024, Summer23), the year contributes approximately log₂(50) ≈ 5.6 bits if attackers try years 1975–2025 — almost nothing. Names, pet names, and sports teams follow the same logic: they're personal, they feel unique, but they're all in targeted attack wordlists assembled from social media profiles.

When This Checker Is Misleading

This tool evaluates structural strength — the entropy and pattern analysis of the password string you type. It cannot check whether your password has already been exposed in a data breach. A structurally strong password like 'Correct#Horse7Battery' scores 4/4 here, but if it appeared in a breach dump (which it now does, because it's in this example), an attacker with that list would crack it instantly. To check actual breach exposure, use Have I Been Pwned's password API (k-anonymity model — only the first 5 hex chars of your SHA-1 hash are sent, not the password itself).

Passphrase entropy is more reliable than this estimator suggests for memorable passwords. A Diceware passphrase of four words chosen from the EFF word list (7,776 words) has entropy of log₂(7776⁴) = 51.7 bits per word set — the estimator here may score it lower if it detects the individual words as dictionary words and penalizes them. But that penalty reflects online-attack pattern matching, not Diceware's actual security model, which is purely combinatorial (51.7 bits remains valid regardless of whether each word is a dictionary word). If you use Diceware, the correct entropy calculation is log₂(word_list_size^word_count).

Two-factor authentication (2FA) dramatically reduces the practical importance of password strength for online account security. An account protected by TOTP (Google Authenticator, Authy) or a hardware key (YubiKey) cannot be accessed with a stolen password alone — the attacker needs both. This means a reasonably strong 12-character unique password with 2FA enabled is more secure than an exceptional 24-character password without 2FA. Enabling 2FA on critical accounts (email, bank, work SSO) should be the first priority, before optimizing password strength scores.

Finally, this checker cannot evaluate password reuse — arguably the most dangerous password practice. A password that scores 4/4 here but is used on 15 different sites is catastrophically risky: one breach of any of those sites exposes all your accounts to credential stuffing. The only scalable solution is a password manager (Bitwarden, 1Password, KeePass) that generates and stores a unique random password per site. Strength scores are secondary once you're using unique passwords everywhere.

Frequently Asked Questions