Password Strength Checker

Estimate password entropy, detect weak patterns, and see time-to-crack — locally.

Free password strength checker. Measures entropy, flags common passwords, dictionary words, repeats, sequences and keyboard patterns, and estimates offline time-to-crack at realistic guess rates. Runs entirely in your browser — your password is never sent anywhere. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Is my password sent to a server?

No. All analysis — entropy, pattern detection, and crack-time estimation — runs in JavaScript on your device. The password never leaves your browser, so it is safe to test even a real password.

A strong password is not just long — it is unpredictable. This checker estimates how much true entropy your password has, flags the predictable patterns attackers exploit first, and tells you roughly how long it would survive a fast offline guessing attack. Everything runs in your browser, so you can safely test a password you actually use.

How it works

Step 1 — Measure the character pool

The tool identifies every character class present in the password:

  • Lowercase letters: 26 possible characters
  • Uppercase letters: 26 possible characters
  • Digits: 10 possible characters
  • Symbols and punctuation: approximately 33 possible characters

Raw entropy starts at length × log₂(poolSize) bits. A 12-character password using all four classes draws from a pool of 95, giving about 79 bits of raw entropy.

Step 2 — Penalise predictable patterns

Attackers do not guess randomly — they run optimised rule-based attacks that try the most common passwords first, then dictionary words with substitutions, then patterned strings. The checker detects and penalises:

PatternWhy it is weakExample
Common passwordTried first by every attackerpassword, qwerty123
Dictionary wordIn every wordlistsunshine, dragon
Embedded yearCommon substitutionSummer2024!
Repeated charactersTrivially detectableaaaa, 1111
Sequential runsKeyboard walkabcde, 12345
Keyboard rowsPhysical layoutqwerty, asdfgh

Each detected pattern reduces the effective entropy — sometimes to near zero, as a password on the common-password list regardless of how long it is.

Step 3 — Estimate time to crack

The adjusted entropy is converted into an estimated time-to-crack assuming approximately 10 billion guesses per second — a realistic rate for a modern GPU attacking a fast, unsalted hash like MD5 or SHA-1. Against a properly implemented slow hash (bcrypt, Argon2, scrypt), real-world times are orders of magnitude longer. The 10 billion rate is the deliberately conservative worst case.

Expected guesses to crack = 2^(entropy − 1), divided by the guess rate.

Interpreting the output

Adjusted entropyCrack time (fast hash)Verdict
Below 28 bitsUnder a secondVery weak
28–40 bitsSeconds to hoursWeak
40–60 bitsDays to yearsFair
60–80 bitsDecades or moreStrong
Above 80 bitsPractically foreverVery strong

What makes a password genuinely strong

  • Length beats complexity. Going from 8 to 16 characters adds more entropy than any combination of symbols and case changes on a short string.
  • Avoid patterns the tool flags. P@ssw0rd!1 may look complex but scores poorly because substituting @ for a and 0 for o are the first rules in every cracking dictionary.
  • Never reuse passwords. A high-entropy password reused across 20 sites is compromised the moment any one of those sites leaks its database. Use a password manager and generate a unique password for each account.
  • Breached status matters more than entropy. Even a technically strong password is immediately compromised if it has appeared in a leaked database. Use a breach lookup tool to check whether a password has been seen in known data breaches.

All analysis runs locally in your browser. The password is never transmitted or stored.