Password Strength Checker

Instantly see how strong your password is — entropy, crack time, and character-class breakdown — without sending a single character to a server.

Time to crack (offline): 0 bits of entropy

Checked entirely in your browser. What you type here is never sent anywhere.

Password strength is measured primarily through entropy — a value, expressed in bits, that describes how many guesses an attacker would need to exhaust all possible combinations. The calculation starts with the pool size: a password that draws only from 26 lowercase letters has a pool of 26 characters, while one that mixes lowercase, uppercase, digits, and symbols can draw from a pool of 95 or more printable ASCII characters. Every character added multiplies the total search space by that pool size, so entropy grows as length × log₂(pool size). A 12-character password from the full 95-character ASCII set reaches roughly 79 bits of entropy — generally considered strong against offline cracking with today's hardware.

Crack-time estimates translate that entropy into something more intuitive by dividing the search space by a realistic guessing rate. Modern GPU-accelerated cracking rigs can test billions of MD5 hashes per second, but slower algorithms like bcrypt or Argon2id reduce that rate to thousands or fewer. The times shown here assume a mid-range offline attacker targeting a fast hash — a conservative scenario that keeps the estimates honest without overstating the threat.

Common patterns make passwords dramatically weaker than their raw length suggests. Dictionary words, keyboard walks (qwerty, 12345), leet substitutions (p@ssw0rd), and predictable suffixes (! or 1 at the end) are all modeled in modern cracking tools like Hashcat and John the Ripper. A 10-character password built from a common word plus a symbol may crack in seconds despite looking “complex”. The strongest passwords are long, random, and drawn from a wide character pool — exactly what a dedicated password generator produces.

Privacy is the other reason to use a client-side checker. Typing your real password into a web form that sends it to a remote server is a significant risk — you have no way to verify what the server logs. This tool performs every calculation locally using JavaScript that runs entirely in your browser tab. Nothing you type is transmitted, stored, or shared. You can verify this by opening your browser's network tab while using the checker: no outbound requests will appear when you type in the password field.

Frequently Asked Questions

Is it safe to type my password into a strength checker?

Only if the checker runs entirely in your browser, like this one. Every calculation here happens locally in JavaScript — nothing you type is transmitted, logged, or stored. You can confirm this by opening your browser’s network tab while typing: no outbound requests appear. Avoid any checker that sends your password to a server.

What counts as a strong password score?

Strength is measured in bits of entropy. Below ~50 bits is weak, 60–80 bits is reasonable for most accounts, and 80+ bits is strong against offline brute-force attacks. A 16-character random password with mixed character types reaches roughly 100 bits.

Why does the crack time differ from other tools?

Crack-time estimates depend on the assumed guessing rate and hashing algorithm. This tool assumes a conservative offline attacker testing a fast hash at billions of guesses per second. Tools that assume slower hashes (bcrypt, Argon2id) or online rate limits will report much longer times for the same password.

Written & reviewed by Andrew Ivanov, Fractional CTO. Last reviewed .