How is the strength estimated?

The tester estimates entropy from the character set used (lowercase, uppercase, digits, symbols) and the length, then derives an offline crack time assuming an attacker can make 10 billion guesses per second against a fast hash. It also flags very common passwords and trivial patterns.

What is a good password?

Aim for 60 bits of entropy or more — typically 12 or more characters mixing upper and lower case letters, numbers and symbols, with no dictionary words or repeats. A long random passphrase scores well.

What do the five rating levels mean?

The score runs 0 to 4: a common password or under 28 bits scores 0, under 40 bits scores 1, under 60 bits scores 2, under 80 bits scores 3, and 80 bits or more scores 4 (very strong).

Why is my long password still rated weak?

The tester checks against a list of common passwords and flags trivial patterns. A long but common or predictable password is downgraded, because real attackers try known passwords and patterns long before brute-forcing.

How does it calculate crack time?

It takes 2^entropy ÷ 2 as the average number of guesses, then divides by 10 billion guesses per second — a realistic rate for an offline attacker with GPUs against a fast hash. The result is shown in seconds up to years.

Is a passphrase better than a complex password?

Often yes. Four or five random words give high entropy from sheer length and are far easier to remember than a short string of symbols, while still scoring strongly here.

Is my password sent anywhere?

No. The test runs entirely in your browser using JavaScript. Your password is never uploaded, stored, logged or transmitted — it never leaves your device.

Password Strength Tester

Password strength tester

Type a password and instantly see how strong it really is: a five-level strength meter, the entropy in bits, and an estimated offline crack time. Unlike a simple “8 characters with a number” rule, this measures the actual size of the search space an attacker faces and flags passwords that look strong but are easy to guess.

How it works

The tester computes entropy from the character pool and length, estimates an offline crack time, then assigns a 0–4 score with safeguards for weak patterns:

pool    = 26 (a–z) + 26 (A–Z) + 10 (0–9) + 33 (symbols), only the types present
entropy = length × log2(pool)   bits
guesses = 2^entropy ÷ 2
crack   = guesses ÷ 10,000,000,000 guesses/sec   (offline, fast hash)

A common-password match or under 28 bits forces a score of 0. Otherwise the bands are under 40 bits = 1, under 60 = 2, under 80 = 3, and 80+ = 4. Specific suggestions tell you which lever — length, variety, uniqueness — will help most.

Example

The password Summer2024 (10 chars, pool 62 — upper, lower, digits):

Entropy: 10 × log2(62) ≈ 59.5 bits → score 2 (Fair)
It also resembles a common pattern, so the tester suggests adding length and a symbol, which pushes it past 80 bits and to a “very strong” rating.

Password	Entropy	Rating
123456	very low	Very weak
Summer2024	~60 bits	Fair
7!qZ$mra2Lp#xV	~92 bits	Very strong

Everything runs in your browser and your password never leaves your device.