The Password Strength Meter estimates how secure a password is and how long it would take an attacker to crack it — without ever sending the password anywhere. Everything is calculated locally in your browser, so the password you type never leaves your device.
How strength is calculated
The meter measures entropy, the number of bits of unpredictability in a password. Entropy depends on two things: the length and the size of the character pool you draw from.
entropy (bits) = length × log₂(pool size)
| Character pool | Pool size | Entropy per character |
|---|---|---|
| Lowercase only (a–z) | 26 | ~4.7 bits |
| Lowercase + uppercase | 52 | ~5.7 bits |
| Lower + upper + digits | 62 | ~6.0 bits |
| Full printable ASCII | ~95 | ~6.6 bits |
A 12-character password from the full printable ASCII pool (95 characters) has about 79 bits of entropy — strong. The same 12 characters of only lowercase letters has about 56 bits — merely fair.
For common passwords, the meter detects the string in a known-weak list and reports very low strength regardless of character variety — because an attacker would try every password in that list before even beginning to brute-force.
Crack-time estimate
The tool converts entropy into an estimated time to crack assuming a fast offline attacker making around 100 billion guesses per second. This is a deliberately conservative assumption representing GPU-accelerated cracking against a weak hash — real times against bcrypt or Argon2 are much longer.
| Entropy | Roughly equals | Estimated crack time |
|---|---|---|
| 28 bits | 8 lowercase letters | Under a second |
| 40 bits | short mixed password | A few hours |
| 60 bits | 10–12 mixed characters | Millions of years |
| 80+ bits | 16+ mixed or 4-word passphrase | Far beyond practical reach |
Why length matters more than complexity
Doubling the length of a password doubles the bits of entropy regardless of the character set used. Switching from lowercase-only to full ASCII on an 8-character password adds about 15 bits of entropy. Making the same 8-character password 16 characters (still lowercase-only) adds another 38 bits. The extra length wins decisively.
A four-word passphrase like correct horse battery staple drawn from even a modest 2,000-word dictionary has about 44 bits of entropy and is far easier to type than C0rr3ct!. Drawn from a 10,000-word list, it reaches 53 bits.
Common mistakes the meter detects
- Adding a
!to the end of a dictionary word. Attackers apply symbol-append rules to every word in their list.sunshine!scores poorly. - Capitalising the first letter. Capitalisation rules are also tried first.
Sunshine1scores poorly. - Leet-speak substitutions. Replacing
awith@orowith0is in every modern cracking ruleset.p@ssw0rdstill scores very weak. - Predictable sequences and keyboard patterns.
qwerty,123456,abcdef— these are in the top of every dictionary.
Use a unique password per account and store them in a password manager. Every calculation here runs locally in your browser. Nothing is sent to a server.