Password Strength Meter

Test how strong a password is and how long it would take to crack.

Free password strength meter that estimates entropy and crack time entirely in your browser. Your password is never uploaded, logged or stored — it is checked locally and discarded. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Is my password sent anywhere when I test it?

No. This password strength meter runs entirely in your browser using JavaScript. The password is analysed in memory on your device and is never uploaded, logged, or stored anywhere.

The Password Strength Meter estimates how secure a password is and how long it would take an attacker to crack it — without ever sending the password anywhere. Everything is calculated locally in your browser, so the password you type never leaves your device.

How strength is calculated

The meter measures entropy, the number of bits of unpredictability in a password. Entropy depends on two things: the length and the size of the character pool you draw from.

entropy (bits) = length × log₂(pool size)

Character poolPool sizeEntropy per character
Lowercase only (a–z)26~4.7 bits
Lowercase + uppercase52~5.7 bits
Lower + upper + digits62~6.0 bits
Full printable ASCII~95~6.6 bits

A 12-character password from the full printable ASCII pool (95 characters) has about 79 bits of entropy — strong. The same 12 characters of only lowercase letters has about 56 bits — merely fair.

For common passwords, the meter detects the string in a known-weak list and reports very low strength regardless of character variety — because an attacker would try every password in that list before even beginning to brute-force.

Crack-time estimate

The tool converts entropy into an estimated time to crack assuming a fast offline attacker making around 100 billion guesses per second. This is a deliberately conservative assumption representing GPU-accelerated cracking against a weak hash — real times against bcrypt or Argon2 are much longer.

EntropyRoughly equalsEstimated crack time
28 bits8 lowercase lettersUnder a second
40 bitsshort mixed passwordA few hours
60 bits10–12 mixed charactersMillions of years
80+ bits16+ mixed or 4-word passphraseFar beyond practical reach

Why length matters more than complexity

Doubling the length of a password doubles the bits of entropy regardless of the character set used. Switching from lowercase-only to full ASCII on an 8-character password adds about 15 bits of entropy. Making the same 8-character password 16 characters (still lowercase-only) adds another 38 bits. The extra length wins decisively.

A four-word passphrase like correct horse battery staple drawn from even a modest 2,000-word dictionary has about 44 bits of entropy and is far easier to type than C0rr3ct!. Drawn from a 10,000-word list, it reaches 53 bits.

Common mistakes the meter detects

  • Adding a ! to the end of a dictionary word. Attackers apply symbol-append rules to every word in their list. sunshine! scores poorly.
  • Capitalising the first letter. Capitalisation rules are also tried first. Sunshine1 scores poorly.
  • Leet-speak substitutions. Replacing a with @ or o with 0 is in every modern cracking ruleset. p@ssw0rd still scores very weak.
  • Predictable sequences and keyboard patterns. qwerty, 123456, abcdef — these are in the top of every dictionary.

Use a unique password per account and store them in a password manager. Every calculation here runs locally in your browser. Nothing is sent to a server.