Password Strength Meter

Check your password strength with entropy-based analysis. 100% client-side — your password never leaves your browser.

New to this tool? Click here for instructions

Password Input
Character Breakdown
Length 0 Uppercase 0 Lowercase 0 Digits 0 Symbols 0
Analysis
Enter a password to see its strength analysis.
Type a password above to check its strength.

How to Use the Password Strength Meter

  1. Enter a password — type or paste a password into the input field on the left (or top on mobile).
  2. View the analysis — the strength meter, score, crack time estimate, and character breakdown update in real time.
  3. Read suggestions — specific improvement tips appear below the score to help you create a stronger password.
  4. Toggle visibility — click the eye icon to show or hide the password text.

Understanding Password Strength

Password strength is a measure of how difficult a password is to guess or crack through brute-force, dictionary, or pattern-based attacks. This tool evaluates password strength using entropy — a mathematical measure of randomness. The higher the entropy, the more possible combinations an attacker must try, and the longer a brute-force attack would take. However, entropy alone does not capture the full picture, so this tool also checks for common patterns, dictionary words, and known weak passwords to give you a realistic strength assessment.

How Entropy Is Calculated

Password entropy is calculated using the formula log2(C^L) where C is the size of the character set and L is the password length. A password using only lowercase letters (26 characters) has a smaller character set than one using lowercase + uppercase + digits + symbols (95 characters). For example, an 8-character lowercase-only password has about 37.6 bits of entropy, while an 8-character password using all character types has about 52.6 bits. The general guideline is: under 40 bits is weak, 40-59 is fair, 60-79 is strong, and 80+ bits is very strong.

Why Common Passwords Are Dangerous

Even a long password is weak if it appears in known password lists. Attackers maintain massive databases of leaked passwords — the "Have I Been Pwned" database alone contains over 800 million compromised passwords. Tools like Hashcat and John the Ripper try these known passwords first, cracking them in seconds regardless of length or character variety. This is why "P@ssw0rd123!" scores poorly despite having uppercase, lowercase, digits, and symbols — it is a well-known pattern that attackers check immediately.

Best Practices for Strong Passwords

  • Use at least 12 characters — length is the single most important factor in password strength
  • Mix character types — combine uppercase, lowercase, digits, and symbols
  • Avoid dictionary words — even with substitutions (@ for a, 0 for o), attackers know these patterns
  • Use passphrases — four or more random words (e.g., "correct horse battery staple") are both strong and memorable
  • Use a password manager — generate and store unique passwords for every account
  • Enable two-factor authentication — even a strong password can be phished; 2FA adds a second layer

Brute-Force Attack Speeds

Modern GPUs can test billions of password hashes per second. A single NVIDIA RTX 4090 can crack MD5 hashes at over 150 billion guesses per second, NTLM at 100+ billion, and bcrypt at about 184,000 per second. Cloud-based cracking clusters multiply these speeds further. This is why even seemingly complex 8-character passwords can be cracked in minutes if they use a weak hashing algorithm. The crack time estimates in this tool assume 10 billion guesses per second — a conservative estimate for a dedicated attacker. Always use services that hash passwords with bcrypt, scrypt, or Argon2, which are designed to be slow and resistant to GPU attacks.

Password Strength for Developers

As a developer, password security extends beyond choosing good passwords. When building authentication systems, always hash passwords with bcrypt (cost factor 12+), scrypt, or Argon2id — never use MD5, SHA-1, or SHA-256 alone for password storage. Enforce a minimum password length of 8-12 characters but avoid overly complex rules that frustrate users and lead to weaker passwords written on sticky notes. Consider integrating the "Have I Been Pwned" API to check passwords against known breaches. For generating secure random passwords, use our Password Generator and for hashing, try our Hash Generator.

Frequently Asked Questions

Yes. This password strength meter runs 100% in your browser using JavaScript. Your password is never sent to any server, never logged, and never stored. All analysis happens locally on your device. You can verify this by disconnecting from the internet and using the tool — it works offline.
This tool uses entropy-based calculation: it determines the character set size (lowercase, uppercase, digits, symbols) used in your password and calculates entropy as log2(charset_size^length). It also applies penalties for common patterns like sequential characters, repeated characters, dictionary words, and known common passwords.
A strong password is at least 12 characters long and uses a mix of uppercase letters, lowercase letters, digits, and special symbols. It should not contain dictionary words, personal information, common patterns (123, abc, qwerty), or be a variation of a commonly used password. Passphrases — multiple random words joined together — are both strong and memorable.
Password entropy is a measure of how unpredictable a password is, expressed in bits. Higher entropy means more possible combinations an attacker would need to try. Entropy is calculated as log2(C^L) where C is the character set size and L is the password length. A password with 60+ bits of entropy is generally considered strong, while 80+ bits is very strong.
The crack time estimate assumes a brute-force attack at 10 billion guesses per second (modern GPU cluster). However, real-world attacks often use smarter methods like dictionary attacks, rainbow tables, and pattern-based guessing, which can crack weak passwords much faster. The estimate is a best-case scenario for the attacker using pure brute force.