Password Strength Test
Test how strong your password is with real-time analysis. See entropy, estimated crack time, and a detailed breakdown of security criteria. Get actionable suggestions to improve weak passwords.
Test Your Password
All analysis happens locally in your browser. Nothing is transmitted.
Strength
Enter a passwordSecurity Criteria
Length
Enter a password
Lowercase letters
Add lowercase letters (a-z)
Uppercase letters
Add uppercase letters (A-Z)
Numbers
Add numbers (0-9)
Special characters
Add special characters (!@#$...)
No common patterns
Enter a password to check
How to Use This Password Strength Test
Enter Your Password
Type or paste a password into the input field above. Analysis begins instantly as you type -- no button needed. Use the eye icon to toggle visibility.
Review the Analysis
Check the strength meter, entropy bits, and estimated crack time. The criteria checklist shows which security requirements are met and which need improvement.
Follow the Suggestions
Use the improvement suggestions to strengthen your password. Add length, mix character types, and avoid common patterns for the best security.
How Password Entropy Is Calculated
Entropy = Length x log2(CharsetSize)Password entropy measures randomness in bits. The charset size depends on which character types are used:
Lowercase only (a-z): 26 characters+ Uppercase (A-Z): 52 characters+ Numbers (0-9): 62 characters+ Symbols (!@#$...): 94 charactersThe crack time is estimated assuming a modern GPU cluster performing 10 billion guesses per second against unsalted hashes. Real-world security depends heavily on how the service stores your password -- proper salting and algorithms like bcrypt or Argon2 add significant protection.
Recommended entropy targets:
- 28+ bits -- Minimum (very basic protection only)
- 36+ bits -- Weak but better than common passwords
- 60+ bits -- Fair, suitable for most online accounts
- 80+ bits -- Strong, recommended for sensitive accounts
- 100+ bits -- Very strong, suitable for encryption keys
This tool also checks for common patterns (dictionary words, keyboard sequences, repeated characters) which drastically reduce effective entropy even if the raw character count looks good.
Frequently Asked Questions
Is it safe to type my password into this tool?
Yes. This tool runs entirely in your browser using JavaScript. Your password is never sent to any server, stored in any database, or transmitted over the network. You can verify this by disconnecting from the internet after the page loads -- the tool will continue to work.
What is password entropy and why does it matter?
Entropy measures the randomness of a password in bits. Higher entropy means more possible combinations an attacker must try. For example, a 12-character password using uppercase, lowercase, numbers, and symbols has about 79 bits of entropy, meaning there are 2^79 (about 604 sextillion) possible combinations. Aim for at least 60 bits for online accounts and 80+ bits for sensitive systems.
How is the estimated crack time calculated?
The crack time assumes a modern GPU cluster performing 10 billion guesses per second (a realistic rate for offline attacks against unsalted hashes). The calculation is: total combinations (2^entropy) divided by twice the guessing rate (average case). Real-world times vary based on hashing algorithm, salting, and available hardware.
What makes a strong password?
A strong password combines length (12+ characters), character variety (uppercase, lowercase, numbers, and symbols), and randomness (no dictionary words, names, dates, or keyboard patterns). The single most impactful factor is length -- each additional character exponentially increases the number of combinations. Using a password manager to generate and store random passwords is the best approach.
Should I use a passphrase instead of a password?
Passphrases (like "correct horse battery staple") can be excellent passwords because they are long and memorable. A 4-word passphrase from a large dictionary provides about 44-55 bits of entropy, while 5-6 words can reach 70+ bits. For maximum security, combine a passphrase with numbers and symbols, or use a randomly generated password stored in a password manager.
Security Notice
This password strength test runs entirely in your web browser. Your password is never transmitted, logged, or stored on any server. The analysis uses standard JavaScript APIs running locally on your device. For best security practices, use a unique strong password for every account, store passwords in a reputable password manager, and enable two-factor authentication (2FA) wherever available.