Password Strength Checker

Type a password and see how strong it really is. Entropy, pattern detection, and crack-time estimates, all computed locally.

Privacy: your password is never sent over the network. All analysis happens in this page's JavaScript. We don't even have a way to receive it.
How is strength actually measured?

Entropy in one line

Entropy (in bits) estimates how many guesses an attacker would need on average to find your password. log2(pool_size) Γ— length is the simple ceiling, but real attackers don't try random characters; they try common patterns first. So we discount for things like dictionary words, all-lowercase, sequential characters, repeats, keyboard walks, and common substitutions.

Why "time to crack" depends on the attacker

The same password takes wildly different times to crack depending on how it's stored on the defender's side:

  • Plain SHA-256 / MD5: GPUs can compute billions per second. A 10-char lowercase password falls in hours.
  • bcrypt / Argon2 / scrypt: deliberately slow. The same password might take a thousand times longer because each guess costs more than a CPU cycle.
  • Online (have to send each guess to a server): rate-limited by network and the server's anti-brute-force. Even weak passwords survive online attacks for a long time.

The honest summary

Length matters more than complexity. A 20-character all-lowercase passphrase is harder to crack than an 8-character "Hu7!tBn3" if both use the same hash. Use a password manager and generate random ones whenever possible.