A strong password is not just long — it is unpredictable. This checker estimates how much true entropy your password has, flags the predictable patterns attackers exploit first, and tells you roughly how long it would survive a fast offline guessing attack. Everything runs in your browser, so you can safely test a password you actually use.
How it works
Step 1 — Measure the character pool
The tool identifies every character class present in the password:
- Lowercase letters: 26 possible characters
- Uppercase letters: 26 possible characters
- Digits: 10 possible characters
- Symbols and punctuation: approximately 33 possible characters
Raw entropy starts at length × log₂(poolSize) bits. A 12-character password using all four classes draws from a pool of 95, giving about 79 bits of raw entropy.
Step 2 — Penalise predictable patterns
Attackers do not guess randomly — they run optimised rule-based attacks that try the most common passwords first, then dictionary words with substitutions, then patterned strings. The checker detects and penalises:
| Pattern | Why it is weak | Example |
|---|---|---|
| Common password | Tried first by every attacker | password, qwerty123 |
| Dictionary word | In every wordlist | sunshine, dragon |
| Embedded year | Common substitution | Summer2024! |
| Repeated characters | Trivially detectable | aaaa, 1111 |
| Sequential runs | Keyboard walk | abcde, 12345 |
| Keyboard rows | Physical layout | qwerty, asdfgh |
Each detected pattern reduces the effective entropy — sometimes to near zero, as a password on the common-password list regardless of how long it is.
Step 3 — Estimate time to crack
The adjusted entropy is converted into an estimated time-to-crack assuming approximately 10 billion guesses per second — a realistic rate for a modern GPU attacking a fast, unsalted hash like MD5 or SHA-1. Against a properly implemented slow hash (bcrypt, Argon2, scrypt), real-world times are orders of magnitude longer. The 10 billion rate is the deliberately conservative worst case.
Expected guesses to crack = 2^(entropy − 1), divided by the guess rate.
Interpreting the output
| Adjusted entropy | Crack time (fast hash) | Verdict |
|---|---|---|
| Below 28 bits | Under a second | Very weak |
| 28–40 bits | Seconds to hours | Weak |
| 40–60 bits | Days to years | Fair |
| 60–80 bits | Decades or more | Strong |
| Above 80 bits | Practically forever | Very strong |
What makes a password genuinely strong
- Length beats complexity. Going from 8 to 16 characters adds more entropy than any combination of symbols and case changes on a short string.
- Avoid patterns the tool flags.
P@ssw0rd!1may look complex but scores poorly because substituting@foraand0foroare the first rules in every cracking dictionary. - Never reuse passwords. A high-entropy password reused across 20 sites is compromised the moment any one of those sites leaks its database. Use a password manager and generate a unique password for each account.
- Breached status matters more than entropy. Even a technically strong password is immediately compromised if it has appeared in a leaked database. Use a breach lookup tool to check whether a password has been seen in known data breaches.
All analysis runs locally in your browser. The password is never transmitted or stored.