Password strength checker
Estimate password strength without sending it anywhere.
- Length
- —
- Character classes
- —
- Estimated entropy
- —
- Estimated crack time
- —
What makes a strong password
- Length matters most. A 16-character passphrase beats an 8-character "complex" password.
- Avoid common patterns. "Password1!", dates, keyboard walks (qwerty, asdf), and sequential digits are all quickly cracked.
- Use unique passwords. A password manager lets you use a different long password on every site without memorising them.
- Turn on two-factor auth wherever it's offered. Even a strong password isn't enough if the site is breached.
Crack-time estimates assume an offline attack at 10 billion guesses per second against a fast hash (e.g. unsalted MD5). Bcrypt or Argon2 would take vastly longer. Real-world outcomes depend on how the target system stores passwords.
About this tool
Strong passwords are hard to guess by automated tools — but "looks random" doesn't mean "is strong". This checker estimates how long your password would take to crack by an attacker with fast hardware running about 10 billion guesses per second. It runs entirely in your browser; your password is never sent to our server, never logged, and never stored. The findings highlight specific issues — common passwords, keyboard walks, year numbers, repeating characters — rather than a vague score.
Frequently asked questions
How is this different from the meter on sign-up forms?
Most signup meters check only length and character classes. This one also looks at common-password lists, keyboard sequences like "qwerty" and "1234", year numbers, and repeating characters — and it reports an estimated crack time instead of a vague "weak / medium / strong".
Why is a 12-character random string stronger than 8 characters of mixed case?
Length adds entropy faster than character diversity. Each extra character multiplies the search space by the pool size. A 12-char lowercase-only password beats an 8-char complex one by a wide margin — which is why passphrases work so well.
Are the crack-time estimates realistic?
The 10 billion guesses-per-second rate assumes a fast hash like unsalted MD5 and modern attack hardware. Sites that use bcrypt or Argon2 slow attackers by a factor of millions, so the same password would be vastly harder to crack there. Treat the number as a worst case.