Password strength, entropy and crack time

What this tool does

The Password Strength Checker looks at a password you type and estimates how resistant it is to guessing: its length, the size of the character set it draws on, its entropy in bits, and roughly how long a fast attacker would take to crack it. It also flags common weaknesses — known-bad passwords, keyboard runs and repeats — and suggests fixes. Everything is computed in your browser; the password is never uploaded.

What is password entropy?

Entropy is a measure of unpredictability, counted in bits. Each extra bit doubles the number of guesses an attacker must try. A rough estimate is:

entropy ≈ length × log2(size of character set)

Using lowercase letters only gives a character set of 26; adding uppercase makes 52; adding digits, 62; adding symbols, roughly 95. So both longer passwords and a wider mix of characters raise entropy — but length is the bigger lever, because it multiplies, while the character set only sits inside a logarithm.

How crack time is estimated

If a password has N bits of entropy there are 2^N possible combinations, and on average an attacker finds it after trying half of them. Divide that by a guessing speed and you get a time. This tool assumes about 10 billion guesses per second — a realistic figure for an offline attack on a fast, unsalted hash using a GPU. Slower, properly-salted hashes (like bcrypt or Argon2) take far longer, so the estimate is deliberately pessimistic: if it looks strong here, it is at least that strong in practice.

One caveat: this maths assumes a random password. Real attackers try dictionary words, names, dates and leaked passwords first, so a "complex-looking" but predictable password (P@ssw0rd1) falls far faster than its raw entropy suggests. That's why the tool also penalises common patterns.

How to read the result

• Very weak / Weak — guessed in seconds to hours. Don't use it anywhere.
• Reasonable — fine for low-stakes logins, but not for email or banking.
• Strong / Very strong — would take years to centuries to brute-force. Good, as long as it's also unique.

How to make a strong password

1. Make it long — at least 12–16 characters; more for important accounts.
2. Prefer a passphrase: four or five random, unrelated words are long, high-entropy and memorable.
3. Avoid dictionary words on their own, names, birthdays and keyboard runs like qwerty.
4. Never reuse a password — a leak on one site then unlocks all the others.
5. Better still, let a password manager generate and remember unique passwords, and turn on two-factor authentication.

How to use it

1. Type or paste a password — the meter, entropy and crack time update as you type.
2. Use the Show button to reveal what you typed.
3. Read the warnings and apply the suggestions, then watch the score climb.
4. Generate a fresh, strong one with the Password Generator.

Your password stays private

The analysis is pure JavaScript running on your device. Nothing you type is sent over the network, stored or logged. As a good habit, only ever enter passwords into sites you trust.

FAQ

Is it safe to type my password into a strength checker?

In this tool, yes — it runs locally and uploads nothing. In general, never type a real password into a site you don't trust; test one with the same length and mix instead.

What is password entropy?

A measure of unpredictability in bits; each bit doubles the guesses needed. Roughly length × log2(character-set size).

How long should my password be?

At least 12–16 characters, longer for important accounts. A four- or five-word passphrase is a strong, memorable option.

Ready to try it? Open the Password Strength Checker →