Password Strength Checker — Free Online Tool

Q: Does the checker detect common passwords like 123456?

The checker uses entropy-based analysis. It correctly flags short or low-variety passwords but does not cross-reference breach databases.

Q: My password passed all criteria but I'm still not sure it's safe. What should I do?

Combine a strong password with a password manager, two-factor authentication (2FA), and checking your email on haveibeenpwned.com.

Strength —

Length

—

Entropy

—

Charset size

—

Crack time

—

○ At least 12 characters

○ Contains uppercase letters (A–Z)

○ Contains lowercase letters (a–z)

○ Contains numbers (0–9)

○ Contains symbols (!@#$…)

What does this checker actually measure?

The strength checker calculates the entropy of your password — a mathematical measure of unpredictability expressed in bits. Higher entropy means more possible combinations, which means longer crack time. It also checks the character set size (how many different characters are possible) and multiplies that by password length to estimate the search space an attacker must exhaust.

How is crack time calculated?

Crack time is estimated by dividing the total number of possible passwords (character set raised to the power of length) by 10 billion — a conservative estimate of a modern GPU's brute-force speed per second. The result is a worst-case estimate assuming an offline attack. Online attacks are limited by login throttling and are much slower.

My password looks strong but still shows "Fair" — why?

The checker uses a conservative scoring model based purely on character set and length. It doesn't credit dictionary words even if they're mixed with numbers. For example, Password123! has all four character types and 12 characters, but is extremely weak in practice because it's a known pattern. Our checker gives it "Fair" to reflect that structural predictability matters, not just raw character count.

Frequently Asked Questions

Is my password sent to your servers?

No. The analysis runs entirely in JavaScript in your browser. Your password never leaves your device. You can open Developer Tools (F12) and check the Network tab — you'll see zero requests when you type.

What is a good entropy score?

For a regular account, aim for at least 50 bits of entropy. For high-value accounts like email or banking, 70+ bits is recommended. A 16-character random password with all character types typically achieves 100+ bits.

Does the checker detect common passwords like "123456"?

The current checker uses entropy-based analysis only. It will correctly flag short or low-variety passwords, but doesn't cross-reference against known breach databases. For that, consider checking haveibeenpwned.com separately.

My password passed all criteria but I'm still not sure it's safe. What should I do?

A strong password is one layer of protection. Combine it with: a password manager so you don't reuse it, two-factor authentication (2FA), and checking your email on haveibeenpwned.com for breach exposure.