Skip to content
Processing locally — files never leave your device

Password Strength Meter

Estimate password strength using entropy and common-password heuristics. See an approximate crack time. All checks run in your browser.

How to use Password Strength

  1. Type or paste a password into the box. It is analyzed entirely in your browser — nothing is sent anywhere.
  2. Read the entropy estimate in bits — the single best measure of how hard the password is to guess.
  3. Check the crack-time estimate, which translates those bits into a real-world "how long would an attacker need".
  4. Review the weakness flags: dictionary words, common patterns, repeated characters, and keyboard runs.
  5. Adjust the password — usually by making it longer — and watch the strength climb in real time.

How password strength is actually measured

Most "strength meters" you see at signup are theatre — they reward you for adding a capital letter and a number, then turn green. Real strength is not about which character types you use; it is about how many guesses an attacker would have to make before stumbling onto your password. That number has a name: entropy.

Entropy in plain terms

Entropy is measured in bits. Each bit doubles the number of possibilities an attacker must try. The math is simple: if a password is drawn from an alphabet of N possible characters and is L characters long, the entropy is L × log2(N) bits — but only if every character is chosen randomly. Here is what that looks like in practice:

Lowercase only (26):     log2(26)  ≈ 4.7 bits per character
Lower + upper (52):      log2(52)  ≈ 5.7 bits per character
Letters + digits (62):   log2(62)  ≈ 5.95 bits per character
All printable (~95):     log2(95)  ≈ 6.6 bits per character

A random 12-char password from all printable characters:
12 × 6.6 ≈ 79 bits  →  ~10^23 possible passwords

The catch in that formula is the word random. If you chose the password yourself, it is almost never random — and the real entropy is far lower than the formula suggests, because attackers do not guess randomly either.

Why human-chosen passwords are weaker than they look

Password-cracking tools do not start with "aaaaaaaa" and count up. They start with what humans actually do: the most common passwords, leaked password lists, dictionary words, names, dates, sports teams, and predictable transformations (capitalize the first letter, add a year, swap o→0 and a→@). A password like P@ssw0rd2024!ticks every "rule" box and is still cracked in seconds, because every one of those substitutions is the first thing an attacker tries.

This is why our meter flags patterns, not just character classes. A 14-character password made of a dictionary word plus a date can be weaker than a 10-character truly random string.

The two rules that beat everything else

  • Make it longer before you make it weirder. The meter rewards extra characters far more than extra symbol types, because length grows the keyspace exponentially while a new character class grows it only once.
  • Never reuse a winning password. A high score here means nothing if the same string guards five sites: one breach and credential-stuffing bots will try it against your email and bank within hours. Score isolates damage only when the password is unique.

So what should you actually do?

Stop auditing passwords you invented and let a generator hand you ones a human could never produce. Most accounts deserve a fully random string; the two or three you log into by hand deserve a word-based phrase. Both belong in a manager, and the only secret left in your head is the phrase that unlocks the manager itself.

For real-world crack-time numbers — what 8, 12, and 16 characters actually buy you against a GPU rig, and why the hashing algorithm a breached site used matters as much as your password — see our guide: how long would it take to crack your password?

Related security tools

Frequently asked questions

Is this safe to use on a real password?
Yes. The meter scores what you type inside the page itself with no outbound request, so the password you are testing never crosses the network. Pull the plug on your connection and the gauge keeps responding.
What is password entropy?
Entropy, measured in bits, is the base-2 logarithm of the number of equally likely passwords an attacker would have to try. Each extra bit doubles the work. A password with 70 bits of entropy is two billion times harder to brute-force than one with 40 bits.
What "crack time" do you assume?
A motivated attacker running offline against a stolen password hash, on a single high-end GPU, at roughly 10 billion guesses per second. Online attacks against a live login are far slower because of rate-limiting and lockouts, so the offline number is the conservative worst case.
Why is a long sentence stronger than a short complex password?
Length dominates strength because every extra character multiplies the search space. A five-word passphrase like "correct horse battery staple" has more entropy than a random 8-character string of symbols — and it is far easier to remember and type.
Do special characters and numbers actually help?
They help by enlarging the per-character alphabet, but only modestly compared to adding length. Swapping an "a" for "@" adds almost nothing if an attacker knows people do that (they do). Adding two more random words adds far more real strength than sprinkling symbols.
My password scored high but I have used it on several sites. Is it safe?
No. Reuse is a bigger risk than weakness. If any one of those sites is breached, attackers will try the same password everywhere else (this is called credential stuffing). A strong password used on ten sites becomes ten chances to be exposed. Use a unique password per site.
What makes a password weak even if it is long?
Predictability. Dictionary words, names, dates, keyboard walks (qwerty, 12345), repeated characters, and common substitutions are all things password-cracking software tries first. A long but predictable password ("Summer2024!") falls quickly because attackers model exactly these patterns.
Should I change my passwords regularly?
Modern guidance (including NIST) says no — forced periodic changes push people toward weak, incremental passwords (Password1, Password2). Change a password only when it is long/unique and you have reason to believe it was exposed. A password manager makes "unique per site" practical without memorizing anything.
How many bits of entropy is "enough"?
As a rough guide: under 40 bits is weak, 60 bits resists casual offline attacks, 80+ bits is strong against a determined attacker for the foreseeable future, and 100+ bits is overkill for anything but the most sensitive secrets. A randomly generated 16-character password or a 5–6 word passphrase comfortably clears the 80-bit bar.

More tools you might find useful in the same flow.

Built by Muhammad Tahir · About