Password Strength Checker & Entropy Analyzer

Test any password to see its strength rating, entropy score (bits), estimated crack time, and detected weaknesses. Checks for common patterns, dictionary words, keyboard walks, repeated characters, and known breached passwords. All analysis runs locally — your password never leaves your browser.

Password Strength Analyzer: Type a password to instantly see its strength rating, entropy score, estimated crack time, and specific improvement suggestions. The tool checks for common patterns, dictionary words, and known breached passwords.

Password Strength Analyzer

Analyze entropy, crack time, and security score locally.

Strength: Enter PasswordScore: 0/4

Key Takeaways

Rates password strength from very weak to very strong
Calculates entropy (bits) — 80+ bits is considered strong
Estimates time to crack using brute force at various speeds
Detects common patterns: keyboard walks, repeated characters, dictionary words
All analysis runs locally — your password is never sent to any server

What is Password Strength Analyzer?

Password Strength Analyzer — A Password Strength Analyzer is a free tool that evaluates password security by checking length, complexity, entropy, and known breach databases.

Check how strong your password is with this free password strength analyzer. Type any password to instantly see its security rating (very weak to very strong), entropy score in bits, estimated time to crack at various attack speeds, and specific weaknesses detected. The analyzer checks for common patterns including keyboard walks (qwerty, asdf), repeated characters, sequential numbers (123456), dictionary words, l33t substitutions (p@ssw0rd), and passwords found in known breach databases. Understand why your password is weak and get actionable improvement suggestions. All analysis runs entirely in your browser — your password is never transmitted to any server.

How to Use Password Strength Analyzer

1
Type or paste a password into the analyzer field.
2
Review the strength rating, entropy score, and estimated crack time.
3
Check the detected weaknesses — patterns, dictionary words, and known breaches.
4
Improve the password based on suggestions and retest until it reaches your target strength.

Key Features

Password strength rating from very weak to very strong with entropy (bits)

Estimated crack time at offline attack speeds (10B guesses/sec)

Pattern detection: keyboard walks, sequences, repeats, and dictionary words

l33t speak substitution detection (p@ssw0rd, h4ck3r)

Client-side analysis — password never sent to any server

Use Cases

Testing password strength before creating accounts or credentials

Validating password policy requirements for enterprise security teams

Training employees on what makes passwords weak vs strong

Evaluating candidate passwords before storing in password managers

About Password Strength Analyzer

Why "P@ssw0rd1!" Is Weak Despite Meeting Complexity Rules

Modern password security is about resistance to realistic attacks, not just checking if a password has uppercase, lowercase, numbers, and symbols. A password like P@ssw0rd1! meets most complexity requirements but is cracked in seconds by any password-cracking tool because it follows the most predictable pattern in human-chosen passwords: (capitalized common word) + (l33t substitution) + (number) + (special char). Attackers use rule-based attacks (hashcat's rockyou-30000.rule, OneRuleToRuleThemAll, etc.) that apply these exact transformations to wordlists. The first 100 million human-chosen "complex" passwords are tried in under a minute on a modern GPU. True strength comes from unpredictability, not complexity rules.

Entropy and Crack Time Tiers

Entropy	Combinations	Online (100/sec)	Offline GPU (10B/sec)	Rating
20 bits	~1M	3 hours	Instant	Trivial
40 bits	~1T	350 years	2 minutes	Weak
60 bits	~10¹⁸	millennia	3.6 years	Moderate
80 bits	~10²⁴	millennia	3.8M years	Strong
100+ bits	~10³⁰	universe age	universe age	Very strong

Target: 60+ bits for low-stakes online accounts, 80+ bits for important accounts, 100+ bits for master passwords / crypto wallets. Practical examples: a random 12-char alphanumeric password = ~71 bits; a 6-word passphrase = ~77 bits; a 20-char random password with all character types = ~120 bits.

Why Length Beats Complexity

correct-horse-battery-staple (28 chars, all lowercase) provides ~44 bits of entropy from word selection alone — stronger than Tr0ub4dor&3 (12 chars with all character types, only ~28 bits). This is XKCD's famous insight: length compounds exponentially while complexity adds linearly. Each extra character doubles the search space (when added at the end of a random string); each extra character class only multiplies the per-character pool by a small factor (lowercase: 26 → adding numbers: 36 → adding uppercase: 62 → adding symbols: ~95). For passwords you must memorize, prefer length via random words. For passwords stored in a password manager, prefer length and full character set.

Patterns Attackers Check First

Dictionary words: all of English, common Spanish/French/German, names, brand names — millions of guesses
Common passwords: top 10,000 leaked passwords (rockyou.txt + breach lists) — tried in milliseconds
L33t substitutions: p→@, o→0, a→4, e→3, i→1, s→$ — applied to dictionary words
Capitalization patterns: first letter capital, last letter capital, alternating caps
Append patterns: word + number (1-9999), word + year (1900-2030), word + symbol (! @ # $)
Keyboard walks: qwerty, qaz2wsx, 1qaz2wsx, asdf, zxcv — patterns made by your fingers on the keyboard
Sequences: 123456, abcdef, 1234abcd, 0987654321
Repeated chars: aaa, 111, password111, 12121212
Dates: 19xx-20xx years, MM/DD/YYYY, DDMMYYYY, common birthdays

This analyzer detects all of these and downgrades the rating accordingly — that's why P@ssw0rd1! rates weak even though it satisfies typical "3 of 4 character classes + 8 chars" policies.

Online vs Offline Attack Speeds

Online attacks (the attacker hits your login form) are rate-limited: 100 attempts/sec is generous; most services lock out after 5–10 failed attempts. For online attacks, even a weak password is "safe" — but you cannot assume your password will only face online attacks. Offline attacks (the attacker stole the database) can run at billions of guesses per second using GPU clusters: 10B/sec for fast hashes (SHA-256, MD5); 100B/sec for ASIC-optimized algorithms; ~100/sec for bcrypt-cost-12 (which is why bcrypt matters). You should always assume an offline attack will eventually happen (database breaches are common). Aim for entropy that resists 10B/sec offline attacks for at least the password's expected lifetime — that means 80+ bits.

HIBP Breach Check

Have I Been Pwned (haveibeenpwned.com, maintained by Troy Hunt) maintains a database of 850+ million passwords from public data breaches. The analyzer queries HIBP using k-anonymity: your browser hashes the password with SHA-1, sends only the first 5 chars of that hash, and HIBP returns all ~500 matching hash suffixes. Your browser compares locally. HIBP never sees your password or its full hash — they only know "someone somewhere checked a password starting with hash prefix XXXXX." If your password appears in any breach, replace it immediately even if it's strong on paper — attackers have it.

Beyond Passwords: 2FA, Passkeys, Password Managers

Even a perfectly strong password can be phished, keylogged, or leaked. Defense in depth:

Password manager (1Password, Bitwarden, KeePassXC) — eliminates password reuse; you only memorize the master password
2FA via TOTP (our OTP Generator) — protects against credential stuffing from breaches
Passkeys / WebAuthn — phishing-resistant; replaces passwords with public-key cryptography
Unique password per service — limits the blast radius of any single breach
Master password = a strong passphrase you actually memorize, used only as your password manager unlock

Frequently Asked Questions

How many bits of entropy is considered a strong password?: 60+ bits is good for most online accounts. 80+ bits is strong for sensitive accounts. 100+ bits is very strong. For reference, a random 12-character alphanumeric password has ~71 bits of entropy.
Is a complex short password better than a long simple one?: No. Length is more important than complexity. 'correct-horse-battery-staple' (28 chars, lowercase only) is far stronger than 'P@ss1!' (6 chars, all character types) because it has exponentially more combinations.
Why is 'P@ssw0rd1!' rated as weak?: It follows the most common password pattern: capitalize first letter, substitute @ for a, 0 for o, add a number and symbol at the end. Attackers check these l33t speak substitutions first in dictionary attacks.
Is my password sent to a server for checking?: No. All password analysis runs entirely in your browser using JavaScript. Your password never leaves your device and is not stored anywhere.
Should I use a password manager instead of memorizing passwords?: Yes. Use a password manager (1Password, Bitwarden, KeePass) to generate and store unique random passwords for every account. Memorize only your master password — make it a strong passphrase.
How often should I change my passwords?: Per NIST SP 800-63B, the long-standing advice to change passwords every 90 days is now considered counterproductive — it leads to weaker passwords as users make small predictable modifications. Change passwords ONLY when: (1) a service reports a breach, (2) you suspect compromise on your device, (3) you discover password reuse with a breached account. Strong, unique passwords don't need rotation.
What does it mean if my password is in a breach?: It means the password has appeared in at least one publicly leaked database — which means attackers have it on their lists. Credential-stuffing attacks systematically try breached passwords against every major service. Replace the password immediately, even if it scores 'strong' on entropy. Strong + breached = compromised.
Is 'correct horse battery staple' really safe?: The PHRASE itself is famous (from XKCD #936) so attackers explicitly include it in wordlists. But the METHOD — picking 4-6 truly random words from a large list — is sound. Use Diceware or our Password Generator passphrase mode to generate fresh random word combinations. Six random Diceware words give ~77 bits of entropy — strong against any offline attack.
What's a good length for a master password?: For a password manager master password: aim for 80–100+ bits of entropy. That's a 7-8 word Diceware passphrase (~90-100 bits) or a 16+ character random string. The master password is the one weak point of any password manager — invest in making it both strong AND memorable so you never need to write it down.
Is online or offline attack the real threat?: Always design against offline attacks. Online attacks are rate-limited (5-10 attempts before lockout). Offline attacks happen after database breaches — and at that point, an attacker runs billions of guesses per second on a GPU cluster. Every database breach starts as 'this won't happen' and ends with passwords on hashcat. Assume your hash will eventually be leaked; pick a password that survives offline cracking.

Loading your tools...

Entropy

Combinations

Online (100/sec)

Offline GPU (10B/sec)

Rating

20 bits

~1M

3 hours

Instant

Trivial

40 bits

~1T

350 years

2 minutes

Weak

60 bits

~10¹⁸

millennia

3.6 years

Moderate

80 bits

~10²⁴

millennia

3.8M years

Strong

100+ bits

~10³⁰

universe age

Very strong

Frequently Asked Questions

How many bits of entropy is considered a strong password?

60+ bits is good for most online accounts. 80+ bits is strong for sensitive accounts. 100+ bits is very strong. For reference, a random 12-character alphanumeric password has ~71 bits of entropy.

Is a complex short password better than a long simple one?

No. Length is more important than complexity. 'correct-horse-battery-staple' (28 chars, lowercase only) is far stronger than 'P@ss1!' (6 chars, all character types) because it has exponentially more combinations.

Why is 'P@ssw0rd1!' rated as weak?

It follows the most common password pattern: capitalize first letter, substitute @ for a, 0 for o, add a number and symbol at the end. Attackers check these l33t speak substitutions first in dictionary attacks.

Is my password sent to a server for checking?

No. All password analysis runs entirely in your browser using JavaScript. Your password never leaves your device and is not stored anywhere.

Should I use a password manager instead of memorizing passwords?

Yes. Use a password manager (1Password, Bitwarden, KeePass) to generate and store unique random passwords for every account. Memorize only your master password — make it a strong passphrase.

How often should I change my passwords?

Per NIST SP 800-63B, the long-standing advice to change passwords every 90 days is now considered counterproductive — it leads to weaker passwords as users make small predictable modifications. Change passwords ONLY when: (1) a service reports a breach, (2) you suspect compromise on your device, (3) you discover password reuse with a breached account. Strong, unique passwords don't need rotation.

What does it mean if my password is in a breach?

It means the password has appeared in at least one publicly leaked database — which means attackers have it on their lists. Credential-stuffing attacks systematically try breached passwords against every major service. Replace the password immediately, even if it scores 'strong' on entropy. Strong + breached = compromised.

Is 'correct horse battery staple' really safe?

The PHRASE itself is famous (from XKCD #936) so attackers explicitly include it in wordlists. But the METHOD — picking 4-6 truly random words from a large list — is sound. Use Diceware or our Password Generator passphrase mode to generate fresh random word combinations. Six random Diceware words give ~77 bits of entropy — strong against any offline attack.

What's a good length for a master password?

For a password manager master password: aim for 80–100+ bits of entropy. That's a 7-8 word Diceware passphrase (~90-100 bits) or a 16+ character random string. The master password is the one weak point of any password manager — invest in making it both strong AND memorable so you never need to write it down.

Is online or offline attack the real threat?

Always design against offline attacks. Online attacks are rate-limited (5-10 attempts before lockout). Offline attacks happen after database breaches — and at that point, an attacker runs billions of guesses per second on a GPU cluster. Every database breach starts as 'this won't happen' and ends with passwords on hashcat. Assume your hash will eventually be leaked; pick a password that survives offline cracking.

Tools

Finance

AI

Media

Marketing

More

Password Strength Checker & Entropy Analyzer

Key Takeaways

What is Password Strength Analyzer?

How to Use Password Strength Analyzer

Key Features

Use Cases

About Password Strength Analyzer

Why "P@ssw0rd1!" Is Weak Despite Meeting Complexity Rules

Entropy and Crack Time Tiers

Why Length Beats Complexity

Patterns Attackers Check First

Online vs Offline Attack Speeds

HIBP Breach Check

Beyond Passwords: 2FA, Passkeys, Password Managers

Frequently Asked Questions

Password Strength Checker & Entropy Analyzer

Key Takeaways

What is Password Strength Analyzer?

How to Use Password Strength Analyzer

Key Features

Use Cases

About Password Strength Analyzer

Why "P@ssw0rd1!" Is Weak Despite Meeting Complexity Rules

Entropy and Crack Time Tiers

Why Length Beats Complexity

Patterns Attackers Check First

Online vs Offline Attack Speeds

HIBP Breach Check

Beyond Passwords: 2FA, Passkeys, Password Managers

Frequently Asked Questions