How is each rule evaluated?

Every rule is checked independently against the typed password: length is compared to the minimum and maximum, character-class rules test for at least one matching character, the whitespace rule rejects spaces and tabs, and the common-password rule compares against a bundled list of well-known weak passwords.

What does the entropy estimate mean?

Entropy in bits is estimated as the password length multiplied by the log base 2 of the character-set size it draws from. It is a rough upper bound for context only — a dictionary word made of many character classes can still be weak — so treat it as guidance, not a guarantee.

Does longer always beat more complex?

Generally yes. Adding length increases entropy faster than adding a single special character, and modern guidance such as NIST 800-63B favours long passphrases over forced complexity. The tool lets you model both so you can choose a sensible policy.

Is the common-password check the same as a breach check?

No. This tool uses a small bundled list of the most common weak passwords for instant, offline checking. A true breach check queries a database of leaked passwords; for that, use a dedicated breach-lookup tool that hashes the password before sending a prefix.

Is my password sent anywhere?

No. Every rule and the entropy estimate run locally in your browser. The password you type is never transmitted, so you can safely test real candidate passwords.

Password Policy Compliance Tester

The Password Policy Compliance Tester lets you design a password policy and immediately see how candidate passwords fare against it. It is built for developers and security teams who need to verify policy UX and explain to users exactly why a password was rejected — rather than showing a single unhelpful error.

How it works

Configure the policy. Set minimum and maximum length and choose which rules apply: require an uppercase letter, a lowercase letter, a digit, a symbol, disallow whitespace, and block common passwords.
Evaluate each rule independently. As you type, every enabled rule is checked on its own. Length rules compare the character count; class rules test for at least one matching character; the common-password rule compares against a bundled list of well-known weak passwords.
Estimate entropy. The tool computes the character-set size the password draws from and multiplies its length by the log base 2 of that size to give a bits-of-entropy figure and a coarse strength label.

Example

With a policy of 12 minimum, uppercase, lowercase, digit, and symbol required, the password Spring2026 fails on length (10 characters) and symbol, while Correct-Horse-9! passes every rule and reports a much higher entropy thanks to its length.

Tips and notes

Favour a longer minimum length over piling on character-class requirements — length adds entropy faster and is easier for users.
The bundled common-password list is small and for instant offline use; pair it with a real breach lookup for production sign-up flows.
Allow long passwords (a generous maximum such as 64 or 128) and never block paste, so password managers work and 3.3.8 Accessible Authentication is satisfied.