Password Strength Checker
Test how strong your password is with real-time score, entropy, and improvement tips.
- Home
- > Hash & Security >
- Password Strength Checker
Character Analysis
What Makes a Strong Password?
A strong password is one that is long, complex, and unpredictable. Length is the single most important factor — each additional character exponentially increases the number of possible combinations.
- Length ≥ 12 characters — Minimum recommended by NIST and OWASP. Each extra character adds significant entropy.
- Mix of character types — Uppercase, lowercase, numbers, and special symbols increase the effective character set size.
- Avoid common patterns — No sequential characters ("123", "abc"), keyboard patterns ("qwerty"), or repeated characters ("aaa").
- Not in common password lists — Avoid passwords that appear in known data breaches (like "password", "admin", "123456").
- Unique per service — Never reuse passwords across different websites or applications.
Understanding Password Entropy
Entropy measures how difficult it is to guess a password based on the number of possible combinations. It is expressed in bits. A password with n bits of entropy requires at most 2n attempts to brute-force.
| Entropy | Strength | Estimated Crack Time (1B/s) |
|---|---|---|
| < 30 bits | Very Weak | < 1 second |
| 30–40 bits | Weak | Seconds to hours |
| 40–50 bits | Fair | Hours to weeks |
| 50–60 bits | Good | Weeks to years |
| 60–80 bits | Strong | Years to centuries |
| ≥ 80 bits | Very Strong | Centuries+ |
Frequently Asked Questions
Is it safe to type my password here?
Yes. All password analysis happens entirely in your browser using JavaScript. No data is sent to any server. Your password never leaves your device.
What is a "common password"?
This tool checks against a list of the 10,000 most common passwords from known data breaches. If your password is in this list, an attacker with a password cracking tool could guess it instantly, regardless of its length or character variety.
What does "time to crack" mean?
This is an estimate of how long it would take to guess your password at 1 billion attempts per second (a realistic speed for an attacker with GPU hardware). Real-world times vary based on the attacker's resources, the hash algorithm used, and whether the password is salted.
What password length should I use?
NIST recommends a minimum of 8 characters for user-generated passwords and 6 characters for random auto-generated passwords. For high-security applications, aim for 12–16 characters with a mix of character types. A 16-character random password with all character types has ~104 bits of entropy.
Should I use a password manager?
Yes. A password manager (like Bitwarden, 1Password, or KeePass) can generate and store strong, unique passwords for every service. You only need to remember one strong master password. This is the single best step you can take to improve your online security.
