Security
Free Password Strength Checker Online
Check how strong a password is. Get entropy score, crack-time estimate and improvement tips.
What is password entropy?
Password entropy is a mathematical measure of how unpredictable — and therefore how difficult to guess — a password is. It is expressed in bits and calculated as: entropy = log₂(charset_size) × length. Higher entropy means more possible combinations an attacker must try before finding the correct password.
The charset size depends on what character types are used: lowercase letters contribute 26 possibilities per position, uppercase adds another 26, digits add 10, and symbols add approximately 32. A password using all four types draws from a charset of ~94 characters. Each additional character in the password multiplies the search space by 94 — so length growth is exponential.
helloworldHelloWorldHelloWorld9Hello@World9!How password attacks work
Understanding attack methods clarifies why specific password properties matter. Attackers do not try every possible combination at random — they use optimised strategies:
The attacker tries words from dictionaries, known passwords from breach databases (rockyou.txt), and common variations (password1, P@ssw0rd). This defeats any password that resembles a real word or common pattern, regardless of length.
Every possible combination of characters is tried systematically. Modern GPUs can attempt billions of hashes per second against fast hash algorithms (MD5, SHA-1). Bcrypt and Argon2 are designed to be slow — reducing brute-force speed to thousands of attempts per second.
Username/password pairs from previous data breaches are tried against other services. If you reuse a password across sites, a breach of any one site compromises all others. This is why password uniqueness is as important as password strength.
Common transformations are applied to dictionary words: capitalise the first letter, append a number, replace letters with symbols (a→@, e→3). Passwords like "Football1!" are trivially broken by rule-based tools like Hashcat.
Precomputed hash-to-password lookup tables allow instant cracking of unhashed or unsalted passwords. Modern password hashing (bcrypt, Argon2) uses random salts to defeat rainbow tables — each password hash is unique even if two users have the same password.
Entropy benchmarks — what is actually strong?
| Password example | Length | Charset | Entropy | Verdict |
|---|---|---|---|---|
| password | 8 | 26 | 37.6 bits | Very weak — dictionary word |
| Password1 | 9 | 62 | 53.6 bits | Weak — rule-based trivial |
| P@ssw0rd! | 9 | 94 | 59.2 bits | Weak — too predictable |
| correct horse staple | 21 | 27 | 99.0 bits | Strong — passphrase |
| Xk9#mL2$vQ8n | 13 | 94 | 85.6 bits | Strong |
| dF7!kL9@mN2#pQ4$ | 17 | 94 | 111.9 bits | Very strong |
| 64-char random | 64 | 94 | ~420 bits | Uncrackable (overkill) |
Password best practices for users
Password hashing for developers
If you are building an application that stores user passwords, the strength of user passwords matters — but so does how you store them. Never store plaintext passwords or use fast hashes (MD5, SHA-1, SHA-256) for password storage. Use a dedicated password hashing algorithm:
Memory-hard algorithm that is resistant to GPU and ASIC attacks. The current best choice for new applications. Use Argon2id with minimum 19 MB memory, 2 iterations, 1 parallelism for interactive logins.
Industry standard for over 25 years. Use cost factor 12 (2024 recommendation). Slightly slower than Argon2 for attackers due to memory requirements, but less than Argon2id. Widely available in every language.
Memory-hard like Argon2. Used by some cryptocurrency implementations. Less common in web applications than bcrypt or Argon2 but secure when properly configured.
To generate strong passwords to test with this tool, use the Password Generator. For generating secure random tokens and API secrets, use the Random Token Generator.
FAQ
Common questions
Is my password stored or sent anywhere?
No. The entire strength analysis runs in JavaScript inside your browser tab. Your password is never sent to any server, never logged, and never stored. You can verify this by disconnecting from the internet and opening the tool — it works fully offline.
What is password entropy and why does it matter?
Entropy measures how unpredictable a password is, expressed in bits. It is calculated as: log2(charset size) × length. Higher entropy means more possible combinations an attacker must try. A password from a 95-character set at 16 characters has ~105 bits of entropy — at 10 billion guesses per second, this would take longer than the age of the universe to brute-force.
How is the crack time estimate calculated?
Crack time is estimated assuming an attacker can try 10 billion passwords per second — the approximate speed of a modern GPU cluster running bcrypt or Argon2. The actual time depends on the hashing algorithm used to store the password: bcrypt at cost 12 reduces this to about 1,000 hashes/second. Our estimate assumes no hashing (worst case) to be conservative.
Why is length more important than complexity?
Adding one character to a password multiplies the search space by the charset size. Going from 8 to 12 characters (same charset) increases the search space by ~10 million times. Adding symbols to an 8-character password is far less effective than just making it longer. A 20-character lowercase-only passphrase is statistically stronger than a 10-character password with all character types.
What score is considered a strong password?
This tool rates passwords as: Very weak (under 15 bits), Weak (15–29 bits), Moderate (30–44 bits), Good (45–59 bits), and Strong (60+ bits). Security researchers generally recommend at least 60–80 bits of entropy for passwords protecting important accounts. For critical accounts, aim for 80+ bits.
Does this detect dictionary words and common passwords?
This tool checks for simple patterns like repeated characters and sequential strings (123, abc, qwerty), but does not check against a full dictionary or the haveibeenpwned breach database. For comprehensive breach checking, use the Have I Been Pwned Passwords API, which uses k-anonymity so your actual password is never transmitted.
Should I use passphrases instead of passwords?
Passphrases (4+ random words like "correct-horse-battery-staple") are excellent: they are long (high entropy), easy to remember, and easy to type. A 4-word passphrase from a 7,776-word list has ~51 bits of entropy; 6 words gives ~77 bits. They score very well in this tool because entropy grows with length. Use a password manager to generate and store truly random passwords for sites that require them.
How often should I change a strong password?
NIST guidelines (SP 800-63B, updated 2020) no longer recommend mandatory periodic password changes. Changing strong, unique passwords on a schedule tends to make them weaker — users pick predictable variations. Change a password immediately if: you know or suspect it was compromised, the service reports a data breach, or you shared it with someone who no longer needs access.
More in Security