Password Strength Checker
Estimate the entropy of a password and how long it would take to brute-force. 100% local — nothing is uploaded.
Quick answer: Estimate the entropy of a password and how long it would take to brute-force. 100% local — nothing is uploaded.
Last updated
Frequently asked questions
- How do you measure password strength?
- We multiply the password's length by log₂ of the size of the alphabet you used (26+26+10+32 if you used all four classes). The result is entropy in bits — 80+ is strong, 100+ is uncrackable in any practical timeframe.
- Is my password sent anywhere for checking?
- No. The score is computed in JavaScript on your machine. The password is not sent to any server, not stored in any cookie and is never compared against an online breach database.
- Does it check HaveIBeenPwned?
- No, intentionally. Even the k-anonymity API requires sending a hash prefix; we don't want to make any network call from a password field. Use 1Password or HIBP directly if you need a breach check.
- What does the crack-time estimate mean?
- It's the time to exhaust the keyspace at 10¹¹ guesses per second — a realistic offline GPU rate against a single-iteration hash. Online attacks against rate-limited login forms are millions of times slower.
- Why does my long password score 'weak'?
- Because it likely uses only one character class. 'aaaaaaaaaaaaaaaa' is 16 chars but only ~75 bits of entropy max; in practice the entropy is near zero because it's all-same. Mix in upper/digit/symbol or use a passphrase.
- Is the score the same as zxcvbn?
- It's a simpler, faster heuristic in the same spirit. zxcvbn additionally penalises dictionary words, dates and l33tspeak — its scores are slightly lower for human-chosen passwords. For random passwords the two agree closely.
- What's a safe entropy target?
- 80 bits is the modern minimum. 100 bits is ample for anything sensitive. 128 bits is overkill outside of cryptographic key material.
- Does this work for passphrases?
- Partially. The checker assumes the password is a random string from a character alphabet. A 6-word Diceware passphrase has ~77 bits of entropy but will score lower here because we score it as if you picked individual characters.
- Why is my password flagged as common?
- Because it appears in the small built-in list of the 20 most common breached passwords (password, 123456, qwerty, etc.). Even if it would otherwise score well, attackers try these first.
- Should I rotate strong passwords periodically?
- Modern guidance (NIST SP 800-63B) is no — only rotate after a known compromise. Periodic rotation pushes users toward weaker, predictable passwords.