Password Strength Checker
๐ Your password is analysed entirely in your browser. It is never sent to any server.
Estimated time to crack (brute force):
What Makes a Password Strong?
A strong password is long, random, and uses a wide variety of characters. Password strength is measured by entropy โ the number of possible combinations an attacker would have to try to guess your password by brute force.
Password Length vs Character Set
| Length | Lowercase only | Mixed case + numbers | All characters |
|---|---|---|---|
| 6 | 308 million | 56 billion | 735 billion |
| 8 | 208 billion | 218 trillion | 6.1 quadrillion |
| 12 | 95 trillion | 3.2 quintillion | 475 quintillion |
| 16 | 43 quadrillion | 4.7 ร 10ยฒโธ | Astronomical |
Best Practices for Strong Passwords
- Use at least 12 characters (16+ for sensitive accounts).
- Mix uppercase, lowercase, numbers, and symbols.
- Never use dictionary words, names, or dates alone.
- Use a different password for every account.
- Consider a passphrase: "Purple!Tiger$Runs7Fast" is long, memorable, and strong.
- Use a password manager to generate and store truly random passwords.
Frequently Asked Questions
Is my password safe to enter here?
Yes. All analysis happens in your browser using JavaScript. Your password never leaves your device or gets sent to any server. You can even disconnect from the internet and the tool will still work.
What is brute force cracking?
Brute force is an attack where a computer tries every possible password combination until it finds the correct one. Modern hardware can try billions of guesses per second, which is why password length and complexity matter so much.
Should I use a password manager?
Absolutely. Password managers like Bitwarden, 1Password, and KeePass generate cryptographically random passwords and store them securely. You only need to remember one master password, and every account gets a unique, strong password.
What is two-factor authentication (2FA)?
2FA adds a second verification step beyond the password โ such as a one-time code from an app (Google Authenticator, Authy) or SMS. Even if an attacker obtains your password, they cannot log in without the second factor. Always enable 2FA on important accounts.