Is my password sent to a server?

No. All analysis — entropy, pattern detection, and crack-time estimation — runs in JavaScript on your device. The password never leaves your browser, so it is safe to test even a real password.

How is entropy estimated?

It starts from the size of the character pool used (lowercase, uppercase, digits, symbols) times the length, then subtracts bits for predictable structure: common passwords, dictionary words, repeated characters, runs, and keyboard sequences. The result reflects guessability, not just raw length.

What guess rate does the time-to-crack assume?

It assumes a fast offline attack of about 10 billion guesses per second, typical for modern GPUs against a fast hash like unsalted MD5 or SHA-1. Against a slow, salted hash like bcrypt the real time would be far longer, so this is a deliberately conservative worst case.

Why does adding length help more than adding symbols?

Entropy grows linearly with length but only logarithmically with the size of the character set. Going from 8 to 16 random characters roughly doubles the bits of entropy, which is a far bigger gain than sprinkling in a few symbols.

Does passing this check mean the password is safe?

It is a strong signal, but reuse is the bigger risk. A high-entropy password reused across sites is compromised the moment any one site leaks. Use a unique password per account and a password manager.

Password Strength Checker

A strong password is not just long — it is unpredictable. This checker estimates how much true entropy your password has, flags the predictable patterns attackers exploit first, and tells you roughly how long it would survive a fast offline guessing attack. Everything runs in your browser, so you can safely test a password you actually use.

How it works

The tool measures the character pool: lowercase adds 26, uppercase 26, digits 10, and symbols/space roughly 33 possible characters. Raw entropy starts at length × log2(poolSize) bits.

It then penalises predictability, because attackers do not guess randomly:

exact matches against a list of the most common passwords drop the score to near zero;
embedded dictionary words and years reduce effective entropy;
repeated characters (aaaa), ascending or descending runs (1234, abcd), and keyboard rows (qwerty, asdf) are cheap to guess and are discounted.

Finally it converts the adjusted entropy into a time-to-crack estimate at about 10 billion guesses per second — a realistic rate for a GPU attacking a fast hash. The number of guesses to expect is 2^(entropy − 1), which divided by the guess rate gives a human-readable time.

Tips for a strong password

Length beats complexity. A 16-character passphrase of random words usually outscores an 8-character P@ssw0rd.
Avoid all patterns the tool flags — they are the first things cracking software tries.
Never reuse a password; a unique one per site limits the blast radius of any breach.
Let a password manager generate and store long random passwords so you never have to remember them.