Is it safe to type my real password into a strength checker?

This checker is safe because it runs entirely in your browser — your password is never sent to any server, stored, or logged anywhere. The analysis happens in JavaScript on your device. You can verify this by opening your browser's network tab (F12) and confirming that no requests are made when you type. That said, as a general habit, be cautious with online password checkers from sites you don't trust — always prefer tools that are transparent about being client-side only.

What does password entropy mean?

Entropy (measured in bits) quantifies how many random possibilities your password has. It's calculated as length × log₂(pool size), where pool size is the number of distinct character types used. Higher entropy means more guesses are needed to crack the password. 40 bits is weak, 60 bits is moderate, 80+ bits is strong, and 100+ bits is very strong. A 16-character password using all character types has approximately 105 bits of entropy.

Why does the crack time vary so much between scenarios?

Different attack scenarios have very different speeds depending on whether the attacker has the hash, what type of hash it is, and what hardware they're using. Online attacks are slowest because rate limiting and CAPTCHA throttle attempts. Offline attacks against a stolen hash database can run at billions of guesses per second on GPUs. The same password that takes years to crack online might fall in seconds offline against a weak MD5 hash. This is why using strong, unique passwords matters even if a site claims to be secure.

Password Strength Checker — Score, Entropy, Crack Time & Improvement Tips

What This Tool Checks

Ten security checks and a full technical analysis — all running locally in your browser.

📏

Length scoring

Length contributes up to 40% of the total score. Every character you add exponentially increases the time needed to crack the password by brute force.

🔣

Character diversity

Using uppercase, lowercase, digits, and symbols expands the pool size from 26 to 94 characters — multiplying the number of possible combinations enormously.

⌨️

Keyboard run detection

Sequences like "qwerty", "asdf", "12345", or "zxcv" are on every attacker's rule list and get tested first, regardless of how long your password is.

🔁

Repeat character detection

Repeated characters like "aaa" or "111" dramatically reduce entropy. The checker flags any sequence where the same character appears 3+ times in a row.

🎭

Common pattern detection

Patterns like "Word123!", "P@ssw0rd", or a capitalized word followed by numbers are among the first tested in rule-based attacks. This checker flags them.

⚡

Entropy calculation

Entropy (in bits) tells you exactly how many random guesses are needed on average to crack your password, regardless of the attack method being used.

How to Use This Tool

1

Type or paste your password

Enter any password in the input field. The analysis updates in real time as you type. Use Hide/Show to toggle visibility, or Clear to start over.

2

Read the strength score

The animated ring shows your score from 0 to 100. The five-segment bar shows the level — Weak, Fair, Good, Strong, or Very Strong — at a glance.

3

Check the 10 security tests

Each check shows pass (✓) or fail (✗). Failing checks reveal exactly what's weak — whether it's length, missing characters, or a detectable pattern.

4

Check crack time estimates

See how long your password would take to crack under 5 different attack conditions — from a slow online attack to a dedicated GPU cracking rig.

5

Apply the improvement tips

If the score is below 75, specific tips appear telling you exactly what to change. Follow them to improve the score before using the password.

6

View the full report

Toggle "Full Technical Report" for a complete breakdown — every metric, count, and detection result in one place. Useful for understanding what factors affected the score.

How the Score Is Calculated

The 0–100 score is based on three components. Here's exactly how it works.

📐

Length (up to 40 pts)

Your score scales with password length up to 20 characters. At 20 chars you get the full 40 points. Below 8 you get nearly nothing — because short passwords are fundamentally weak regardless of complexity.

🔤

Character types (up to 30 pts)

Each of the four character types (uppercase, lowercase, digits, symbols) you include adds 7.5 points. Using all four gives 30 points and maximizes the effective pool size per character.

🚫

Pattern penalties (up to 30 pts)

No repeated sequences adds 8 pts. No keyboard runs adds 8 pts. No common patterns adds 14 pts. All three together mean your password doesn't follow any of the rule-based transformations attackers run first.

📊

Entropy (separate display)

Entropy is shown separately from the score because it's a pure math calculation. Score reflects usability heuristics; entropy reflects raw cryptographic unpredictability. Both matter.

Frequently Asked Questions

Yes. This tool runs entirely in your browser using JavaScript. When you type, no network request is made — nothing leaves your device. You can verify this yourself by opening the browser's network inspector (F12 → Network tab) and watching that no requests fire while you type. That said, use common sense: don't type passwords on untrusted public computers or shared screens, regardless of the tool.

Adding symbols to a short or patterned password helps, but it's not enough on its own. The biggest score components are length and absence of detectable patterns. A 7-character password with symbols scores around 30–40 because it's too short — brute force can cover all 7-character combinations quickly. The fix is almost always to increase length first, then add character diversity.

Common patterns include: all the same character ("aaaaaaaa"), sequential letters or numbers ("abcd", "1234"), keyboard rows ("qwerty", "asdf", "zxcv"), the word "password" in any form (including P@ssw0rd, p@$$word), and the extremely common pattern of a capitalized word followed by numbers and an optional symbol (e.g. "Summer2024!"). These patterns are in every cracking rule list and get tested before brute force even starts.

Online attacks are limited by the server — most websites lock accounts after 5–10 failed attempts, add delays, or require CAPTCHA. This limits attackers to maybe 100 guesses per second at best. Offline attacks happen against a stolen password hash database — the attacker runs their software locally with no limits. A modern GPU can test 100 billion guesses per second against MD5 hashes. This is why a password that seems safe online can be cracked almost instantly if its hash is ever leaked in a breach.

For most accounts: aim for 75+ (Strong). For high-value accounts — email, banking, your password manager master password — aim for 85+ (Very Strong). A score of 75+ typically corresponds to a 12–16 character password using multiple character types without detectable patterns, which means 70+ bits of entropy and centuries of crack time even with fast offline attacks.

No — this tool performs local analysis only and never contacts any external service. Checking against breach databases (like the Have I Been Pwned Pwned Passwords API) would require sending your password or a hash of it over the network. That's a privacy trade-off some tools make, but this checker prioritizes keeping your password entirely on your device. For breach checking, you can use haveibeenpwned.com directly — they use a k-anonymity model where only the first 5 characters of a SHA-1 hash are sent, not your actual password.

Related Tools

View all →

Password Strength Checker

What This Tool Checks

How to Use This Tool

How the Score Is Calculated

Frequently Asked Questions

Related Tools

Related Reading