Password Strength Tester
Password strength meter. Live entropy calculation + crack-time estimation at 4 attack speeds (online throttled, online unthrottled, offline slow hash, offline fast hash). Detects common passwords, sequential runs, keyboard patterns. Password never leaves the page.
Password Strength Tester
How the password test works
Type your password
The strength meter updates live as you type — no submit button needed. Click "Show" to verify spelling.
Read the entropy
Entropy = mathematical measure of how hard your password is to guess. 80+ bits = strong; 60+ = OK against most attackers; below 36 = trivial.
Check the crack-times
4 attack profiles shown: online throttled (e.g. a normal login form), online unthrottled, offline slow hash (bcrypt), offline fast hash (GPU MD5). Strong passwords resist offline fast attacks.
Fix the weaknesses
If common patterns are detected (sequential chars, keyboard runs, dictionary words), they\'re listed — fix those first.
Why password strength matters in 2026
Password breaches no longer make headlines because they\'ve become routine. The Have-I-Been-Pwned database now lists over 12 billion compromised account records across thousands of breaches. The single biggest factor in whether your accounts survive the next breach is the strength of the password protecting them — measured in entropy bits, not in subjective "looks complex" feelings.
Entropy is the only objective measure
A password like Password1! looks strong (uppercase, lowercase, digit, symbol — checks all the boxes typical web forms require), but it contains a dictionary word and the most common digit + symbol suffix. Its real entropy is around 12 bits — crackable in seconds by any modern GPU. A password like tilt-purple-fjord-1894 looks weaker by traditional rules (no symbols, no mixed case) but has 60+ bits — practically uncrackable offline.
"The user who types P@ssw0rd2024! believes they\'ve created a strong password. They haven\'t — they\'ve created a password that satisfies a form\'s regex while still being in the top 1,000 cracking-rule outputs."
The four attack profiles
Online throttled (10 guesses/sec): a normal login form. Easy passwords survive here. Online unthrottled (100/sec): a poorly-configured API endpoint. Offline slow hash (10,000/sec): your password was leaked in a breach and the attacker is brute-forcing the bcrypt hash. Offline fast hash (10 billion/sec): your password was leaked, and the site stupidly used MD5 — modern consumer GPUs make this attack speed routine.
Privacy stance
This tool runs entirely in your browser. Your password is never uploaded, logged, sent to any server, or stored anywhere. The strength algorithm is pure JavaScript — you can verify this by viewing the source. Test any password here without fear.
10 facts about password security
The Have-I-Been-Pwned database tracks 12 billion+ compromised account records across thousands of breaches.
"123456" is the most common password globally — featured in 23 million leaked accounts in 2023 alone.
A consumer-grade RTX 4090 GPU can compute over 10 billion MD5 hashes per second — making any sub-12-character password instantly crackable.
NIST\'s 2017 guidelines reversed decades of advice: password rotation is harmful, and complexity rules push users toward predictable patterns.
A 4-word passphrase (e.g. "tilt purple fjord 1894") has ~50 bits of entropy — easily memorable yet stronger than a typical 8-char "complex" password.
Bcrypt with cost factor 12 takes ~250 milliseconds per guess — that 10-billion-per-second attack rate drops to ~4 guesses/sec on the same hardware.
Top-10 password rules can multiply weak-password breaches when users follow them ("password" → "Password1!" → cracked just as quickly).
Password managers eliminate the need for memorability — and most modern browsers ship them built-in. There is no longer a credible reason to reuse passwords.
Multi-factor authentication (2FA) defeats ~99% of credential-stuffing attacks — even if your password leaks, the attacker still needs your second factor.
The "trick" to strong passwords isn\'t mixed case + symbols — it\'s length and unpredictability. 20 random lowercase letters > 8 mixed-class but predictable characters.
Frequently asked questions
No. This tool runs entirely in your browser. Your password is never uploaded, transmitted, or logged. The algorithm is pure JavaScript — view the page source if you want to verify.
A mathematical measure of how hard a password is to guess, expressed in bits. Each bit doubles the number of guesses needed. 80+ bits is considered strong; 60+ is OK; below 36 is weak.
Because attackers know users append "1!" or "2024!" to common words. The dictionary attack tries these variations first. Real strength comes from unpredictability, not from satisfying form-validation regex.
Yes. The browser-built-in ones (Chrome, Safari, Firefox, Edge) are free, suggest strong unique passwords automatically, and sync across devices. Dedicated managers (1Password, Bitwarden) offer more features.
NIST 2017+ guidance: only when there's evidence of compromise. Forced rotation pushes users to predictable patterns (Password1 → Password2 → ...). Pick a strong unique password once and use 2FA.
Online attacks hit a login form, with network round-trips and rate limiting. Offline attacks happen after a database leak — the attacker has the password hashes and can use specialised hardware (GPUs, ASICs) to test billions per second.
Yes, if chosen randomly from a large list (~7,776 words = Diceware list). A 4-word phrase has ~50 bits, a 5-word has ~64 bits. Memorable AND strong.
Marginally. Going from 26 → 95 alphabet doubles your per-character entropy. But going from 8 → 16 characters in length adds far more. Length > complexity.
A password that's a dictionary word has effective entropy of ~12 bits regardless of length — because the attacker only needs to guess from a 200,000-word list, not from 95^N possibilities.
Yes. After the page loads, no further network calls are made. Disconnect from the internet and the strength meter still works.
Related News
You may be interested in these recent stories from our newsroom.
No related news yet for this tool. Our editorial team publishes new pieces every week.
Browse all news →75 more free tools
Calculators, converters, security tools — no signup.