UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

Password Strength Checker

Heuristic scoring without uploading secrets.

About Password Strength Checker

A weak password is the most common entry point for account takeovers, yet developers and users alike still underestimate how quickly short or pattern-based passwords fall to modern attacks. This password strength checker evaluates your password using entropy calculation — the mathematical measure of unpredictability in bits — combined with pattern recognition that catches dictionary words, keyboard walks, dates, and repeated sequences that appear strong by character count but are trivially cracked by automated tools. The strength score follows principles aligned with NIST SP 800-63B guidelines, which prioritize length and unpredictability over complexity rules. Results include an entropy estimate in bits, a 0–4 strength score with crack-time estimates at different attack speeds (online throttled, offline fast hash, GPU cluster), plus feedback on the weakest aspects with hardening tips.

Why use Password Strength Checker

NIST SP 800-63B Aligned Scoring

Evaluates passwords using entropy and pattern recognition rather than character class rules, aligning with NIST Digital Identity Guidelines which deprecate complexity requirements in favor of length and unpredictability.

Crack-Time Estimation at Three Attack Speeds

Estimates time to crack at online throttled (1K/s), offline fast hash (10B/s), and offline GPU cluster (100B/s) so you understand the realistic threat model, not just a color-coded bar.

Pattern-Based Weakness Detection

Identifies dictionary words, dates, keyboard walks (qwerty, 12345), L33t substitutions, and repeated character sequences — patterns that look complex to humans but are indexed in password cracking rulesets.

Shannon Entropy Calculation

Computes information-theoretic entropy in bits based on character set size and length, giving a quantitative unpredictability measure that translates directly to the number of guesses required to crack the password.

100% Client-Side — Password Never Transmitted

All analysis runs in your browser using JavaScript. Your password never leaves your device, making this safe to use when evaluating passwords for real accounts you are considering.

Actionable Improvement Feedback

Rather than just showing a score, the tool explains exactly which patterns are reducing your entropy — so you know whether to add length, remove a word, or break up a keyboard sequence to maximize resistance.

How to use Password Strength Checker

  1. Type or paste your password into the input field — the strength meter and analysis update in real time as you type.
  2. Read the entropy estimate (in bits) shown below the meter — 40+ bits indicates moderate resistance; 60+ bits is strong for most use cases.
  3. Review the crack-time estimates: online throttled (1,000 guesses/sec), offline fast hash (10 billion/sec), and offline GPU cluster (100 billion/sec) show realistic attack scenarios.
  4. Read the feedback panel identifying specific weaknesses — dictionary words, dates, keyboard patterns, or repeated sequences that are reducing your score.
  5. Adjust your password based on the feedback — adding length delivers the largest entropy gain, followed by avoiding recognizable patterns.
  6. Use the toggle to show or hide the password characters if you need to review what you have typed without leaving the plaintext visible on screen.

When to use Password Strength Checker

  • Before setting a password for a critical account to verify it has sufficient entropy for your threat model.
  • When building a registration form and testing sample passwords to calibrate your strength policy.
  • When reviewing a password manager-generated password to confirm it meets the entropy threshold your security policy requires.
  • When educating users or team members about what makes a password strong versus merely compliant with character requirements.
  • When evaluating whether a legacy password (meeting old complexity rules) would hold up against modern offline attack speeds.
  • When testing proposed password policy changes to see how different minimum-length or character requirements affect entropy scores.

Examples

Weak password — dictionary word

Input: sunshine1

Output: Score: 1/4 (Weak). Entropy: ~18 bits. Pattern: dictionary word 'sunshine' + single digit. Crack time (offline GPU): < 1 second. Feedback: Remove the dictionary word; add length and avoid predictable digit suffix.

Medium password — mixed but patterned

Input: P@ssw0rd2024!

Output: Score: 2/4 (Fair). Entropy: ~32 bits. Patterns: dictionary word 'password' with L33t substitution, year '2024'. Crack time (offline GPU): ~3 minutes. Feedback: L33t substitutions and years are standard cracking rules — use a random sequence instead.

Strong passphrase

Input: marble-circuit-9-frozen

Output: Score: 4/4 (Very Strong). Entropy: ~67 bits. No common patterns detected. Crack time (offline GPU): centuries. Crack time (online throttled): heat death of the universe. Feedback: Excellent — long, no recognizable patterns.

Tips

  • Length beats complexity — a random 20-character lowercase passphrase has more entropy than a 10-character password with all four character classes.
  • Use three or four unrelated random words (correct horse battery staple) as a passphrase — memorable for humans, high-entropy, and resistant to pattern detection.
  • Avoid using names, birth years, or any personal information that could be in a targeted dictionary built from your social media profiles.
  • Check the crack-time estimate for 'offline GPU cluster' — this is the relevant threat if a service is breached and attackers have your hashed password.
  • Never reuse passwords across accounts even if they score high — a strong password leaked from one breach immediately becomes weak against credential stuffing on other services.

Frequently Asked Questions

What is password entropy and how is it measured?
Entropy is a measure of unpredictability, expressed in bits. For a password, it is approximately log₂(character set size) × length. A password using 62 characters (letters + digits) at 12 characters long has roughly 71 bits of entropy. Higher entropy means more guesses are required to crack it.
Why does NIST SP 800-63B discourage complexity rules?
NIST research found that complexity rules (must include uppercase, digit, symbol) produce predictable patterns — users write P@ssw0rd1 instead of a long unpredictable passphrase. Length and avoiding known patterns delivers more entropy than mixing character classes.
What crack time is considered safe?
For online attacks (rate-limited to ~100–1,000 guesses per second), even moderate entropy passwords are practically safe. For offline attacks against fast hashes (bcrypt, Argon2), 60+ bits of entropy is widely recommended. Passwords protecting encryption keys or privileged access should target 80+ bits.
Is a password with a high entropy score immune to phishing?
No. Entropy measures resistance to guessing attacks only. Phishing, keyloggers, credential databases, and session hijacking compromise passwords regardless of their strength. A strong password should always be paired with multi-factor authentication.
Why do common substitutions like @ for a not improve the score?
Password crackers use substitution rulesets — replacing a with @ or i with 1 is standard practice in dictionary-rule attacks. The tool detects L33t substitutions and discounts them from the entropy score because they add little unpredictability against modern cracking tools.
Is it safe to type my real password into this tool?
The tool runs entirely in your browser and never transmits any input to a server. However, as general security practice, avoid typing active account passwords into any third-party tool. Use the tool to evaluate candidate passwords before setting them, not to test passwords already in use.
How does the tool detect keyboard walks like 'qwerty' or '12345'?
Keyboard pattern detection maps standard keyboard layouts and identifies sequences of adjacent keys in horizontal, vertical, and diagonal directions. These sequences are among the first tried in automated attacks and are flagged as low-entropy regardless of length.
What is a good password length by current standards?
NIST 800-63B recommends at least 8 characters as a minimum, but security professionals broadly recommend 16+ characters for high-value accounts. A random 16-character lowercase-only password has ~75 bits of entropy — stronger than a 10-character complex password that follows predictable patterns.

Explore the category

Password Entropy Calculator Calculate the entropy of any password in bits and estimate the brute-force time for various attack speeds. Paste and Share Share text with a short link, expiry, optional max opens, password, and QR code HTTP Headers Checker Inspect response status and headers from public HTTPS origins SSL Certificate Checker Peek TLS certificate metadata with SSRF-safe hostname rules Keyword Density Checker Token frequencies with optional stopword trimming. TOTP Generator Authenticator-style rotating codes from Base32 secrets.
Hashing Algorithms Explained: MD5, SHA-256, bcrypt — When to Use Which MD5 and bcrypt are both called hashing algorithms, but they serve completely different purposes. This guide explains what makes a hash funct Jan 2026 · 10 min How Bcrypt Hashes Passwords (And Why Cost Factor Matters) Bcrypt is the password-hashing standard most modern apps still rely on. Here's how the Blowfish-based KDF works, why the cost factor matters Mar 2026 · 9 min How TOTP Two-Factor Authentication Works (RFC 6238) Those six-digit codes from Google Authenticator, Authy, and 1Password are not magic. They're HMAC over a clock. Here's the precise algorithm Mar 2026 · 9 min

Glossary

Shannon Entropy
A measure of information unpredictability in bits, named after Claude Shannon. For passwords, higher entropy means more guesses are required to find the correct value through brute force or dictionary attacks.
Brute Force Attack
A password cracking method that systematically tries every possible character combination. Speed depends on the cracking hardware and hash algorithm — GPU clusters can attempt hundreds of billions of guesses per second against weak hash functions.
Dictionary Attack
A password cracking method that tests a list of common words, phrases, and previously leaked passwords rather than exhaustive combinations. Effective against passwords based on recognizable words or common patterns.
L33tspeak Substitution
Character substitutions that replace letters with visually similar numbers or symbols (e for 3, a for @, i for 1). These substitutions are standard in cracking rule sets and add minimal unpredictability against automated tools.
NIST SP 800-63B
The NIST Digital Identity Guidelines that define password policy recommendations for authentication. The 2017 revision deprecated mandatory complexity rules and expiration policies in favor of length and breach-list checking.
Credential Stuffing
An attack where leaked username-password pairs from one data breach are tested against other services, exploiting password reuse across accounts. Strong unique passwords per service are the primary defense.