How Strong Is My Password?

Check your password strength with crack time estimates

Your password never leaves your browser

All analysis is performed locally using JavaScript. Nothing is sent to any server.

Enter a password to check

Password Strength

Score: - / 4

Estimated Crack Time

Password Length

Character Types

Score

How it works

This tool estimates password strength by analyzing character diversity (uppercase, lowercase, digits, symbols), length, common patterns (sequential characters, repeated characters), and checks against a list of commonly used passwords. The entropy-based score maps to a 0-4 scale similar to the zxcvbn algorithm. The crack time estimate assumes an attacker performing 10 billion guesses per second. Everything runs entirely in your browser.

What Makes a Strong Password?

Length matters most. A 16-character password made of random lowercase letters is harder to crack than an 8-character password with uppercase, numbers, and symbols. Every additional character multiplies the number of possible combinations exponentially. Aim for at least 12 characters — 16 or more is ideal.

Character diversity helps. Mixing uppercase, lowercase, numbers, and symbols increases the "keyspace" an attacker must search. But diversity alone doesn't compensate for short length — "P@s5!" is far weaker than "correct horse battery staple" despite using all character types.

Randomness is essential. Dictionary words, names, dates, and keyboard patterns (qwerty, 123456, asdfgh) are the first things attackers try. A truly strong password looks like random noise — or uses a passphrase of random, unrelated words.

Uniqueness per site is critical. Even the strongest password becomes worthless if you reuse it and one site gets breached. Attackers take leaked credentials and try them on other sites (credential stuffing). Every account should have a unique password.

How Passwords Get Cracked

Brute force attacks try every possible combination systematically. A modern GPU can test billions of password hashes per second. Short passwords (under 8 characters) can be cracked in minutes regardless of complexity. Length is the primary defense against brute force.

Dictionary attacks try common words, names, and known passwords first. This is why "password123", "letmein", and "dragon" are cracked instantly. Attackers also try common substitutions — "P@ssw0rd!" is well-known and provides almost no extra security.

Credential stuffing uses passwords leaked from data breaches on other sites. If you used "MyStrongPass99!" on a forum that got hacked, attackers will try that same password on your email, bank, and social media accounts. This is the number one reason to never reuse passwords.

Social engineering guesses passwords from personal information. Your pet's name, birthday, anniversary, favorite team, or child's name are all easy to find on social media. Avoid using any personally meaningful information in your passwords.

Rainbow tables are pre-computed hash lookups that can crack simple passwords almost instantly. Modern websites defend against this by "salting" passwords before hashing — but that's the website's responsibility, not yours. Your job is to make the password hard to guess in the first place.

Tips for Better Passwords

Use a passphrase: String together 4-5 random, unrelated words. "correct horse battery staple" (from the famous XKCD comic) is the idea — but use actually random words, not a meaningful phrase. Something like "timber oxygen glacier plunger" is both strong and memorable.
Use a password manager: Tools like 1Password, Bitwarden, and Dashlane generate and store unique, strong passwords for every account. You only need to remember one master password. This is the single best thing you can do for password security.
Enable two-factor authentication (2FA): Even if your password is compromised, 2FA adds a second barrier. Use an authenticator app (Google Authenticator, Authy) rather than SMS when possible — SMS can be intercepted via SIM swapping.
Check for breaches: Visit haveibeenpwned.com to check if your email or passwords have appeared in known data breaches. If they have, change those passwords immediately.
Don't share passwords: Never send passwords via email, text, or chat. If you must share access, use a password manager's sharing feature which encrypts the credentials in transit.

How Our Password Checker Works

This tool analyzes your password using pattern-based strength estimation. It checks for dictionary words, common substitutions (@ for a, 0 for o), keyboard patterns (qwerty, zxcvbn), repeated characters, sequential numbers, and dates. It estimates crack time across multiple attack scenarios — from slow online attacks (throttled by the website) to fast offline attacks (where an attacker has stolen the password hash database).

Your password never leaves your browser. All analysis runs locally in JavaScript. No network requests are made — you can verify this by disconnecting from the internet and using the tool offline. We never see, store, or transmit your password.

Frequently Asked Questions

Is my password sent to any server?

No. This tool analyzes your password entirely in your browser using JavaScript. Your password never leaves your device — no network requests are made. You can verify this by disconnecting from the internet and using the tool offline.

How is password strength calculated?

Password strength is estimated by analyzing character diversity (lowercase, uppercase, numbers, symbols), length, common patterns, dictionary words, and keyboard sequences. The crack time estimate assumes various attack scenarios from online throttled attacks to offline brute force.

What makes a strong password?

A strong password is long (12+ characters), uses a mix of character types, and avoids common words, names, or patterns. Passphrases — random words strung together like 'correct horse battery staple' — are both strong and memorable.

What is a brute force attack?

A brute force attack tries every possible combination until finding the correct password. The time it takes depends on password length, character variety, and the attacker's computing power. A 12-character random password would take centuries to brute force.

Should I use a password manager?

Yes. Password managers generate and store unique, strong passwords for every account. You only need to remember one master password. This is far more secure than reusing passwords or using simple variations across sites.

🔒

VPN Leak Test

Check for IP, DNS, and WebRTC leaks in your VPN connection

🛡️

Ad Blocker Test

Test if your ad blocker is blocking ads from major providers

✅

VPN Status Check

Simple yes/no check if your VPN is protecting you

🔌

DNS Server

Find out which DNS resolver your connection is using