Password Strength Checker | Entropy & Safety Tips
Check password strength locally in your browser. Estimates entropy, common-pattern risk, crack-time ranges, policy compliance, character diversity, and practical improvement tips.
Password Policy Check
Test against a workplace, app, or team password rule.
Generate a Strong Password
All generation happens locally in your browser — no data is sent anywhere.
Compare Multiple Passwords
What Is the Password Strength Checker?
Entropy measures unpredictability. The formula is H = L × log₂(C), where L is length and C is charset size. A 20-character lowercase password scores 94 bits. A 10-character mixed password scores 65.7 bits. Length wins every time.
Adding one symbol to a short password adds less than a single extra character would. The three attack scenarios show why: the same password can survive a slow hash for decades but fall to a GPU cluster in minutes.
Password Strength Checker Formula and Method
H = L × log₂(C) where H = entropy bits, L = password length, C = character set size.
C is 26 for lowercase only, 52 for mixed case, 62 with digits, 95 for all printable ASCII.
Subtract penalty bits for dictionary words (−20), keyboard walk patterns (−15), year patterns (−10), repeated-character runs ≥3 (−8), and length under 8 (−12).
Crack time: guesses = 2^H.
Time (seconds) = guesses ÷ attack_speed.
Scenarios: slow offline hash = 1,000,000/s; GPU cluster = 10,000,000,000/s; dedicated rig = 1,000,000,000,000/s.
How to Use
- 1
Type or paste your password into the input field. Toggle the eye icon to see what you typed. The entropy score and checklist update with every keystroke.
- 2
Read the entropy score in bits, not just the colour bar. Under 40 bits is crackable in seconds by a GPU cluster. Above 100 bits is effectively uncrackable with current hardware.
- 3
Work through the security checklist in order of impact: length first (aim for 14+), then add a symbol, then check for dictionary words. Fix the red items — don't guess.
- 4
Switch between the three attack speed scenarios to understand your real exposure. Surviving the GPU cluster but not the dedicated rig tells you something specific about your risk.
- 5
Use the Password Comparison tab to paste several candidate passwords, one per line, and rank them by entropy.
- 6
Click Generate Password for a cryptographically random string, or Generate Passphrase for four random words. Passphrases consistently score above 50 bits and are actually memorable.
- 7
Copy the generated password immediately and store it in a password manager. The checker stores nothing — close the tab and it's gone.
Password Strength Checker Example
Compare "MyD0g!" with "correct-horse-battery-staple". The first has uppercase, a digit, and a symbol — but at 6 characters, it scores about 19 effective bits after penalties for "dog" and the leet pattern. A GPU cluster cracks it in under a millisecond.
"correct-horse-battery-staple" is 28 characters. Four random diceware words give ~51.7 bits. Crack time against the GPU cluster: thousands of years. Letter-substitution tricks add almost no entropy. Length and randomness are the only things that matter.
Understanding Password Strength
What Password Entropy Actually Measures
Entropy bits answer one question: how many guesses would an attacker need to exhaustively search the space your password was drawn from? At 60 bits, that's over 3,600 years at 10 billion guesses per second. Each extra bit doubles the number of possible passwords.
The raw formula gives the theoretical maximum. Penalties apply on top for predictable patterns — the strings attackers try first. A password with "dragon" or "1987" has far fewer effective bits than its raw score suggests.
The Three Attack Scenarios — What They Actually Represent
Slow offline (1M guesses/sec) means the site uses bcrypt, scrypt, or Argon2. Each guess requires real CPU work. This is what a well-run service provides after a breach.
GPU cluster (10B/sec) is the realistic scenario for any site that stored passwords in MD5 or SHA-1. A $50/hr cloud GPU cluster hits this speed. This is your real threat model for most data breaches.
Dedicated rig (1T/sec) is purpose-built ASIC hardware targeting weak hashes. You can't control which hashing scheme a site uses — unique passwords everywhere is the only practical defence.
Why Passphrases Work
Four random words from a 7,776-word diceware list give ~51.7 bits. That's equivalent to a 9-character fully random alphanumeric password — but far easier to remember. Add a separator and one capitalized word and you're above 60 bits.
The critical word is "random." A passphrase you composed is not random. Attackers use phrase-based dictionaries including famous quotes, song lyrics, and common idioms. The words must come from a random draw, not a human choice.
The Eight Security Checks and What Each Catches
Length of 14+ characters is the highest-value check. Uppercase and lowercase expand the charset from 26 to 52. Digits take it to 62. Symbols take it to 95 — adding about 0.6 bits per character. Useful, but one extra character of length adds more.
No common words means your password doesn't appear in the top 100,000 English words or breach-list dumps. Attackers run word-based attacks before brute force. No repeated runs and no keyboard patterns eliminate the first few seconds of every cracking attempt.
Frequently Asked Questions
How is password entropy calculated?
H = L × log₂(C). Lowercase only: 4.7 bits/char. Mixed case + digits + symbols: 6.57 bits/char. A 15-character password using all four types gets 98.5 raw bits before penalties for patterns.
What is a good password entropy score?
Below 40 bits: crackable in seconds — change it now. 40–60 bits: weak for sensitive accounts. 60–80 bits: reasonable for general use. Above 80 bits: strong. 100+ bits is effectively uncrackable with current hardware.
Is my password checked online when I type it here?
No. Every calculation runs in your browser. Your password is never transmitted. Turn off Wi-Fi before testing — the tool works completely offline. No backend, no logging, no server involved.
What makes a passphrase stronger than a random-looking password?
Four randomly chosen words from a 7,776-word list give ~52 bits — equivalent to a 9-char random alphanumeric password, and far easier to memorize. The words must be genuinely random, not composed. "correct-horse-battery-staple" only works if you rolled dice to pick those four words.
How long should my password be?
For most accounts, 14–16 random characters is sufficient. For email, banking, or your password manager, aim for 20+ characters or a four-to-five word passphrase. NIST recommends length over complexity rules.
Why does the crack time change so much between attack scenarios?
The hashing algorithm a site uses determines how fast an attacker can guess after a breach. Bcrypt limits guesses to ~1M/sec. MD5 allows 10B/sec on commodity hardware. You don't control which a site uses — unique passwords everywhere is the practical response.
Should I use a password manager?
Yes. A password manager generates and stores a unique random password for every account. Password reuse is the single biggest real-world risk. Bitwarden is free and open-source. 1Password and Dashlane are solid paid options.
What are keyboard walk patterns and why are they penalized?
Keyboard walks follow physical key paths — qwerty, asdf, 1qaz2wsx. Every cracking tool tests hundreds of walk variations in the first few seconds. "Qwerty123!" is as weak as "Password123!" despite looking more complex. The penalty is −15 bits.
You Might Also Like
Explore 360+ Free Calculators
From math and science to finance and everyday life — all free, no account needed.