How to Check Password Strength
Analyze the strength of any password and get actionable suggestions to improve it. See estimated crack time and vulnerability assessment.
- 1
Enter a password to test
Type or paste the password you want to evaluate. The analysis runs entirely in your browser, so your password is never sent to a server.
- 2
Review the strength score
See an overall strength rating from weak to very strong, along with an estimated time to crack using common attack methods.
- 3
Check for common patterns
The tool identifies weaknesses like dictionary words, keyboard patterns, repeated characters, and common substitutions that make passwords predictable.
- 4
Follow improvement suggestions
Read the specific recommendations to strengthen your password, such as adding length, mixing character types, or avoiding personal information.
Whether you are setting up a new account or auditing existing credentials, checking password strength before committing to a password can save you from a breach down the road. The password strength checker evaluates your input locally in the browser, so your password never leaves your machine.
Understanding password entropy
Password strength ultimately comes down to entropy — the measure of how unpredictable a password is to an attacker. A password with 40 bits of entropy has roughly one trillion possible combinations, while 80 bits pushes that number into the septillions. Longer passwords with diverse character sets produce higher entropy, but length matters more than complexity. A 20-character passphrase made of random words typically beats an 8-character string of mixed symbols.
Attackers don’t just guess randomly, though. Modern cracking techniques use dictionary attacks that test common words, leaked password databases, and well-known substitutions like p@ssw0rd. They also exploit keyboard patterns (qwerty, zxcvbn) and date formats. A good strength checker accounts for all of these strategies when estimating crack time, not just raw character count.
NIST’s current guidelines (SP 800-63B) have shifted away from forced complexity rules like “must include uppercase, number, and symbol.” Instead, they recommend checking passwords against known breached password lists, enforcing a minimum length of at least 8 characters (ideally 15+), and allowing spaces and full Unicode so passphrases are practical.
Tips and best practices
- Prioritize length over complexity. A 16-character passphrase like
correct horse battery stapleis harder to crack thanTr0ub4d!despite looking simpler. - Avoid personal information. Names, birthdays, pet names, and addresses are the first things targeted in social engineering and targeted attacks.
- Use a unique password for every account. Credential stuffing attacks reuse leaked passwords across sites, so reusing even a strong password undermines its value.
- Pair strong passwords with a password manager. You only need to memorize one master password — let the manager generate and store the rest.
- Enable multi-factor authentication. Even a strong password can be phished. A second factor like a TOTP code adds a layer that password cracking alone cannot bypass.
Common issues
- “Strong” by old rules but actually weak. A password like
Summer2024!passes many legacy complexity checks but appears in breach databases and follows an obvious pattern. Always verify against known-compromised lists. - Overestimating crack time. Crack time estimates assume a single attacker with a specific rig. State-sponsored actors or botnets can throw orders of magnitude more compute at the problem, so treat estimates as a lower bound on security.
- Confusing password strength with account security. A perfect password on an account without MFA, on a site that stores passwords in plaintext, still leaves you vulnerable. Strength checking is one piece of a larger security posture.
Open Password Strength Checker
Use the Password Strength Checker tool directly — no sign-up needed. Runs entirely in your browser.
Open Password Strength Checker
Comments