Password Strength Checker
Paste a password — see its entropy in bits and a realistic crack-time estimate. We penalise the patterns crack tools actually try first (leet-speak, dictionary words, year suffixes, sequential digits).
What this checks
- Length — base entropy from how many characters.
- Charset diversity — lowercase, uppercase, digits, symbols. More charsets = more bits per character.
- Common patterns — dictionary words, "Password123!" structures, year suffixes (2024, 2025, etc.), sequential digits, repeated chars. Each pattern subtracts entropy because crack tools test these first.
What it does not check
- Against breach lists — if your password appeared in a previous data breach, it's compromised regardless of how "strong" the math says it is. Use haveibeenpwned.com/Passwords with the k-anonymity API.
- Against the actual hashing your site uses — a strong password is wasted on a site that stores plain SHA-256 of it. The crack-time estimate assumes weak server-side hashing as the threat model; against argon2id, the same password is dramatically harder to crack.
- Reuse detection — that's a password-manager job, not a single-string analysis.
FAQ
Is anything I type sent anywhere?
No. The strength check runs entirely in your browser — open DevTools → Network and verify. The password is never logged, transmitted, or stored.
How is 'crack time' estimated?
Crack time = 2^entropy / guesses-per-second. We assume an attacker with consumer GPUs (~10¹⁰ guesses/sec for a fast hash like SHA-256). For weak server-side hashing, this is realistic. For strong hashing (bcrypt, argon2id), the same password is far harder to crack — so the 'crack time' here is a conservative upper bound on attacker cost.
Why does my password show 'weak' when it has 12 characters and a symbol?
Length isn't the same as entropy. P@ssw0rd123! is 12 characters but the structure (capital + word + leet-speak digits + symbol) is so common that crack tools test it in the first thousand attempts. The entropy meter penalises common patterns — capitalisation only at start, leet-speak substitutions, dictionary words, sequential digits.