Password Strength Checker
Analyze password strength with real-time entropy, time-to-crack estimates, and pattern detection. Nothing is stored — all analysis runs in your browser.
Understanding Password Entropy
Entropy is the mathematical measure of a password's unpredictability. It is calculated based on the size of the character set used and the password length: entropy = length × log₂(charsetSize). The larger the character set and the longer the password, the more bits of entropy — and the harder it is for an attacker to guess.
| Character Set | Size | Entropy/char | Example |
|---|---|---|---|
| Digits only | 10 | 3.32 bits | PIN: 1234 |
| Lowercase only | 26 | 4.70 bits | password |
| Lower + Upper | 52 | 5.70 bits | Password |
| Lower + Upper + Digits | 62 | 5.95 bits | P@ss1234 |
| Full ASCII printable | 95 | 6.57 bits | P@ss1234!# |
Password Attack Methods
Attackers use several techniques to crack passwords, each with very different speed characteristics. Understanding these helps you see why entropy thresholds matter.
Online Brute Force
~1,000/sAttacking a live login form. Rate-limited by server lockout policies. A 6-digit PIN takes ~16 minutes.
Offline Dictionary Attack
~1M/sTesting common passwords and words against a stolen hash. Most common passwords fall in seconds.
Offline Fast Hash
~10B/sUsing a GPU to brute-force unsalted MD5 or SHA-1 hashes. 8-character passwords fall in hours.
GPU Cluster
~1T/sDedicated cracking rig. 10+ character passwords with full charset still take years.
Password Best Practices
Modern security guidance (NIST SP 800-63B, 2024 update) recommends: passwords of at least 15 characters, allowing all printable characters, checking against known-breached password lists, no mandatory complexity rules that lead to predictable patterns (like P@ssw0rd!), and no forced periodic rotation unless there is evidence of compromise. The single most impactful action is using a password manager to generate and store unique, random passwords for every site — eliminating the reuse problem entirely.
Frequently Asked Questions
Is my password stored or transmitted anywhere?
No. All analysis happens entirely in your browser using JavaScript. Your password is never sent to any server, stored in a database, or logged anywhere. The page has no server-side processing and no analytics calls that include form inputs. You can verify this by inspecting network traffic in browser DevTools.
What is password entropy and why does it matter?
Password entropy measures how unpredictable a password is, expressed in bits. It is calculated as log₂(charsetSize ^ length), where charsetSize is the number of unique character types used (e.g., 62 for lowercase + uppercase + digits). A higher entropy means more possible combinations an attacker must try. A password with 50 bits of entropy has roughly 2⁵⁰ (about 1 quadrillion) possible values. Security guidelines generally recommend at least 60 bits for a strong password and 80+ bits for very strong passwords.
What do the time-to-crack estimates mean?
The estimates assume an attacker is performing an exhaustive brute-force search at different speeds: an online attack through a web form (throttled to ~1,000 guesses/second), an offline attack against a slow hash like bcrypt (millions per second), a fast hash like SHA-1 (billions per second), and a well-funded GPU cluster (trillions per second). These are best-case attack scenarios — real attacks may use dictionary lookups and be faster against common passwords. The estimates shown are average-case (trying half the total combinations), not worst-case.
What patterns make a password weak even if it's long?
Length alone is not sufficient. A 20-character password like 'aaaaaaaaaaaaaaaaaaaaa' has extremely low entropy because an attacker can quickly test repeated characters. Other weak patterns include: keyboard walks (qwerty, asdf1234), sequential characters (abcdef, 123456), common dictionary words (password, sunshine), year or date patterns (2024, january), and common password substitutions (p@ssw0rd). This tool detects these patterns and adjusts the effective entropy score accordingly.
What makes a password truly strong?
A strong password combines length, character variety, and randomness. Aim for at least 16 characters mixing uppercase, lowercase, digits, and symbols — with no recognizable words, dates, or patterns. Even better, use a randomly-generated passphrase (4–5 random words) or a cryptographically random password from a password manager. Enable two-factor authentication whenever possible, because even a strong password can be phished. Never reuse passwords across accounts — a breach of one site gives attackers credentials to try everywhere.