Online Dev Tools

Developer & Security Tools for IT Professionals

Fuel The Infrastructure

Password Strength Checker

Runs locally in your browser Avoid pasting production secrets No account required

Last reviewed: June 6, 2026 — interactive functionality verified end-to-end; data-handling summary added.

Estimate how strong a password is — entirely in your browser.

Estimated strength
Entropy
0 bits
Est. offline crack time

    How this estimate works

    The strength score is based on entropy — roughly, the password's length multiplied by the base-2 logarithm of the size of the character set it draws from. A password using lowercase, uppercase, digits, and symbols draws from a much larger set per character than one using only letters, so each character it adds is worth more bits. The result is reduced when the password contains repeated characters, keyboard or numeric sequences, or a known common password, because those patterns are the first things a real attacker tries.

    The crack-time figure assumes a fast offline attacker — someone who has stolen a database of password hashes and is guessing locally at roughly 10 billion guesses per second, which is realistic for unsalted or fast hashes on modern GPU hardware. It is the conservative end of the range, so a password that looks safe here is likely safer in practice against slower online attacks.

    This is an estimate of guessing resistance, not a breach check. A unique-looking password can still be exposed if the site that stored it was breached, or if you reused it somewhere that leaked. To check whether a specific password has appeared in a known breach, use a dedicated breach-check service, and use a password manager so every account gets its own strong password.

    About this tool

    This password strength checker analyzes whatever you type directly in your browser. There is no server call, no logging, and no storage — the password never leaves the tab. That is the whole point of running it client-side: you can safely paste a real candidate password to evaluate it without worrying that it was sent somewhere or saved. The score, entropy, crack-time estimate, and feedback are all computed by JavaScript on this page and update live as you type.

    Real example

    Type P@ssw0rd and it scores Very weak. It looks complex — capital letter, symbol, number — but it is a textbook example of a common word with predictable character swaps, and it sits near the top of every attacker's wordlist. The symbol-swapping buys almost nothing.

    Now type a 16-or-more-character random string like kT9$mvL2qX#7nReW and it scores Very strong, with an estimated offline crack time measured in centuries or longer. The difference is not the symbols — it is the length and unpredictability. As a rule, adding length beats swapping letters for look-alike symbols, because length multiplies the entropy of the whole string while a single symbol substitution adds almost none.

    Common use cases

    • Vetting a password before you use it: Paste a password you are about to set on an important account to see whether it is genuinely strong or just looks strong, and read the specific suggestions for improving it.
    • Teaching password hygiene: Show colleagues, students, or family members in real time why length and uniqueness matter more than throwing in a ! at the end. Watching the bar and crack-time change as you type is more convincing than a lecture.
    • Sanity-checking a generated password: After producing a random password in a generator, drop it here to confirm the entropy and crack-time estimate land where you expect before you commit to it.

    Common mistakes

    • Reusing passwords across sites: A strong password that you use on more than one account is only as safe as the weakest site that stores it. One breach exposes every account that shares it. Uniqueness matters as much as strength.
    • l33t-speak on a dictionary word: Turning password into p@ssw0rd or secret into s3cr3t does not fool attackers — cracking tools apply those exact substitutions to wordlists automatically. The base word is still the weakness.
    • Judging by symbols instead of length: A short password crammed with symbols is weaker than a long passphrase of plain words. Reach for length first; complexity second.

    FAQ

    Is my password sent anywhere?
    No. The analysis runs in your browser via JavaScript. Nothing you type is transmitted to a server or stored anywhere. You can verify this by opening your browser's network tab while typing — you will see no requests.

    Does a high score mean my password is safe?
    No. The score estimates how hard the password is to guess, not whether it has already leaked in a data breach. A password that scores well here can still be compromised if you reused it somewhere that was breached. Always use a unique password per site.

    What's a good target?
    Aim for 16 or more characters, or a passphrase of 4 to 5 random words. Keep it unique per account and store it in a password manager so you never have to memorize or reuse it.

    Related tools