Password Strength Checker

See a live entropy estimate, the patterns that weaken a password, and how long it would take to crack.

Runs entirely in your browser — the password is never transmitted and never even written back into the page. Verify with DevTools: zero network requests as you type.

How it works

The checker measures three things locally. First, the character pool: lowercase adds 26 possibilities per position, uppercase another 26, digits 10, and symbols about 33. Second, a raw entropy estimate — length multiplied by the base-2 log of that pool, which is the number of bits of unpredictability if every character were chosen at random. Third, a set of pattern penalties: we subtract bits when the password matches a common breached password, is built on a common base word, contains a sequence (abc, 123), a keyboard run (qwerty), three or more repeats, or a four-digit year. The adjusted bits map to a strength band, and we translate the average guesses needed into time across three attacker models. It is a fast heuristic — not the last word. Scoring detail lives on the methodology page.

FAQ

Is it safe to type my real password here?

The check runs entirely in your browser — the password is never sent over the network and never leaves your device. You can confirm with your browser's network inspector: zero requests fire as you type. Even so, prefer a similar test password over a live one where you can.

What does the entropy number mean?

Entropy in bits estimates how unpredictable the password is — each extra bit doubles the guesses an attacker needs. It's a heuristic: we take length × log2 of the character pool, then subtract for common words, sequences, keyboard runs, repeats, and years. Real attackers use smarter models, so treat the figure as a guide, not a guarantee.

How many bits is strong enough?

For a password guarded by a fast hash, aim well past 60 bits; 70 or more is a comfortable floor, and a long passphrase easily clears it. Length matters far more than swapping letters for symbols — a longer passphrase beats a short complex string almost every time.

From the channel

Video thumbnail: This Mac Malware Waits for the Right Password This Mac Malware Waits for the Right Password Watch on The Exploit HQ — cyber threat intel in 60 seconds ▸