Password Strength Checker
Analyze password entropy, character composition, and estimated time-to-crack across different attack scenarios.
Enter a password above to see its strength analysis.
Why checking password strength matters
Weak passwords are the leading cause of account breaches. Attackers use automated tools that can test billions of password combinations per second against leaked credential databases. A password that feels memorable to you might take milliseconds to crack with a modern GPU and a wordlist.
This tool evaluates your password in real time using entropy-based scoring, pattern detection, and multi-scenario crack-time estimation: giving you an honest picture of how long your password would realistically survive an attack. Everything runs in your browser; nothing is transmitted to any server.
Step-by-step guide
- 1Type your password
Enter the password you want to evaluate into the input field. Use the eye icon to toggle visibility. - 2Review the strength score
A colour-coded bar (Very Weak to Strong) and entropy value appear instantly as you type. - 3Check character composition
See which character classes are present: uppercase, lowercase, digits, and special symbols. - 4Read the crack-time table
Compare estimated time-to-crack across three scenarios: online attack, offline fast hash, and bcrypt. - 5Act on suggestions
If the tool flags weaknesses such as short length or repeated characters, adjust your password accordingly.
Related Tools
Hash Generator
Compute MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes for text or files. All hashes shown simultaneously with one-click copy.
HMAC Generator
Generate HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 message authentication codes with a secret key.
AES Encrypt / Decrypt
Encrypt and decrypt text with AES-256-GCM. Password-derived key via PBKDF2. Output includes salt and IV: fully self-contained.
JWT Debugger
Decode and inspect JWT header, payload, and signature. Shows expiry status, algorithm, and all time-based claims with human-readable dates.
Frequently Asked Questions
- Is my password sent anywhere?
- No. All analysis runs entirely in your browser using JavaScript. Your password never leaves your device and is never transmitted over the network.
- What does 'entropy' mean in this context?
- Entropy measures the unpredictability of your password in bits. A higher bit count means more possible combinations, making brute-force attacks harder. Passwords above 60 bits are generally considered strong.
- How is the crack time calculated?
- The tool estimates the number of guesses required (2^entropy) and divides by assumed attack speeds: 1,000 guesses/second for online attacks, 10,000/second for bcrypt, and 1 billion/second for fast offline hashes.
- What character types increase password strength most?
- Adding special characters (!, @, #, etc.) expands the character pool by ~33 characters, providing a larger boost per character than adding digits (pool +10) or case (pool +26). Length also increases entropy multiplicatively.
- Why does the tool warn about repeated characters?
- Repeated characters like 'aaa' reduce effective entropy because they shrink the real-world unpredictability of the password. The tool applies a deduction when three or more identical characters appear consecutively.
- What is a good minimum password length?
- Security experts recommend at least 12 characters for personal accounts and 16+ for sensitive accounts like banking or email. The tool will flag passwords shorter than 12 characters.
- How is this different from zxcvbn or similar libraries?
- This checker computes entropy from character-pool size and Shannon entropy of character frequency, combined with pattern deductions. It prioritises transparency: every score factor is visible, not hidden inside a third-party library.
- Can I use this to test passphrases?
- Yes. Passphrases made of multiple words often achieve high entropy through length alone. Paste any passphrase into the input to see its score and crack-time estimates.
- Does the score account for common passwords like 'password123'?
- Yes. The tool applies a heavy deduction for passwords that match common patterns and dictionary words such as 'password', '123456', 'qwerty', 'admin', and similar strings.
AlteredIdea vs alternatives
vs server-side tools: Everything runs in your browser: your password never leaves your device.
vs command-line tools: No setup needed. Works instantly in any browser.
vs paid tools: Completely free, no account required.