ToolBelt

Password Strength Checker

Estimate password entropy and strength in real time.

Open tool

Overview

The password strength checker estimates the entropy and crack-time of any password as you type. It scores against common patterns — keyboard walks, repeated characters, common dictionary words, dates — and shows both a numeric entropy in bits and a human-readable "would take X to crack offline".

It is the right companion to a password generator and a useful diagnostic for sysadmins enforcing policy, security trainers explaining why "Summer2024!" is weak, and end users who want to feel out how much their preferred password actually buys them.

How it works

Entropy estimation goes beyond counting characters. A naive estimate is length × log2(alphabet_size) — but real passwords are rarely uniformly random, so the tool also runs zxcvbn-style pattern matching: dictionary lookups against common-password lists, l33t-speak normalization, sequence detection (abc, 123, qwerty), date detection, and adjacency on a US QWERTY layout. The minimum-entropy estimate over all matching patterns is reported as the password's effective strength, expressed in bits and translated into offline-attack guess-time at common GPU rates (e.g. 1010 guesses per second for fast hashes, 104 for Bcrypt at cost 12).

Examples

Password: password
Entropy:  ~4 bits
Verdict:  Trivially weak — top 10 most common passwords

Password: Summer2024!
Entropy:  ~22 bits
Verdict:  Weak — predictable pattern (season + year + symbol)

Password: tribe oasis voucher banjo perch sailor
Entropy:  ~77 bits
Verdict:  Strong — 6-word Diceware-style passphrase

Password: kP9#mZ2qL!8vR$5w
Entropy:  ~95 bits
Verdict:  Very strong — random 16-char with all classes

FAQ

Why doesn't length 12 always mean strong?

Because not all length-12 passwords are equally random. Password1234 has length 12 but maps to a couple of well-known patterns, so its effective entropy is closer to 15 bits than the 60+ you might guess from the character classes.

What entropy is "strong"?

40+ bits resists online attacks against a rate-limited login. 60+ bits resists offline attacks against fast hashes (SHA-256). 80+ bits is comfortable against offline attacks against slow hashes (Bcrypt, Argon2). Push higher for vault master passwords.

Does the tool send my password anywhere?

No. All analysis runs in your browser. Nothing is logged or transmitted.

Should I trust the "crack time" exactly?

Treat it as a rough order of magnitude. Real attacker hardware varies and the assumed hash speed is a guess; the entropy estimate is the more durable number.

Try Password Strength Checker

An unhandled error has occurred. Reload ×