Password Strength Checker
See a live entropy estimate, the patterns that weaken a password, and how long it would take to crack.
Runs entirely in your browser — the password is never transmitted and never even written back into the page. Verify with DevTools: zero network requests as you type.
How it works
The checker measures three things locally. First, the character pool: lowercase adds
26 possibilities per position, uppercase another 26, digits 10, and symbols about 33. Second, a raw
entropy estimate — length multiplied by the base-2 log of that pool, which is the number
of bits of unpredictability if every character were chosen at random. Third, a set of
pattern penalties: we subtract bits when the password matches a common breached
password, is built on a common base word, contains a sequence (abc, 123), a
keyboard run (qwerty), three or more repeats, or a four-digit year. The adjusted bits map to
a strength band, and we translate the average guesses needed into time across three attacker models. It
is a fast heuristic — not the last word. Scoring detail lives on the
methodology page.
FAQ
Is it safe to type my real password here?
The check runs entirely in your browser — the password is never sent over the network and never leaves your device. You can confirm with your browser's network inspector: zero requests fire as you type. Even so, prefer a similar test password over a live one where you can.
What does the entropy number mean?
Entropy in bits estimates how unpredictable the password is — each extra bit doubles the guesses an attacker needs. It's a heuristic: we take length × log2 of the character pool, then subtract for common words, sequences, keyboard runs, repeats, and years. Real attackers use smarter models, so treat the figure as a guide, not a guarantee.
How many bits is strong enough?
For a password guarded by a fast hash, aim well past 60 bits; 70 or more is a comfortable floor, and a long passphrase easily clears it. Length matters far more than swapping letters for symbols — a longer passphrase beats a short complex string almost every time.
From the channel
This Mac Malware Waits for the Right Password
Watch on The Exploit HQ — cyber threat intel in 60 seconds ▸
weekly kev brief
Patch what's actually being exploited.
One email a week: the vulnerabilities under active attack, prioritized — no noise.
Free. No spam. Unsubscribe anytime. Delivered by Beehiiv.