Password Strength Calculator
Type or paste a candidate password, get a sober assessment of how long it would take to crack. Entropy in bits, breach-list check, three different attacker scenarios, and a list of specific weaknesses. Everything runs locally in your browser.
Explain like I'm 5 (what even is this calculator?)
A password is strong when it would take an attacker, with a fast computer and a stolen copy of the website's password file, longer than a human lifetime to guess it. This tool works out roughly how long that would take for a password you're thinking about, and points out anything that makes it easier to guess (a real word, a year, a keyboard pattern, or its presence on a list of leaked passwords).
Test a password
Nothing you type is sent anywhere. This page works fully offline once loaded. The check happens in your browser using JavaScript only.
Type a password above to see its strength.
Strength summary
- Length–
- Character classes used–
- Charset size–
- Raw entropy–
- Penalties–
- Adjusted entropy–
Estimated crack time
| Threat model | Time to crack |
|---|
Issues found
- None worth flagging.
Suggestions
- Type a password to get specific suggestions.
Show the workings
Entropy is log2(charset size) × length, in bits. Charset size is 26 (lowercase) + 26 (uppercase) + 10 (digits) + 33 (common symbols), counted only for classes that actually appear in the password. Penalties for breach-list membership, keyboard runs, repeated characters, year-shaped numbers and dictionary stems are subtracted from raw entropy. Crack time uses the average case (half the search space), divided by the attacker's guesses-per-second rate. Three threat models are shown: throttled online (10/s), unthrottled online (10,000/s) and offline fast hash (10 billion/s). Common-password membership zeroes the score outright.
Useful? Save this calculator: press Ctrl + D to bookmark it.
Why length beats complexity, every time
The folklore says a strong password needs an uppercase letter, a number and a special character. The maths says length matters far more. Adding a symbol to an eight-character password buys you a small multiplier. Adding four more characters buys you a much larger one. A 16-character all-lowercase passphrase is genuinely harder to crack than a typical "Pa55word!" style attempt, even though one looks more "complex" than the other.
The reason is the way attackers actually work. They don't try every possible eight-character string in random order. They try the common passwords first, then dictionary words, then dictionary words with the obvious mangling rules (capitalise first letter, swap a for @, append a year, append an exclamation mark). A complicated-looking but predictable password gets caught early in that list. A long, properly random password does not, because there are simply too many of them.
What entropy in bits actually means
Entropy is a measure of how many guesses an attacker has to try before they hit your password, expressed in powers of two. 40 bits of entropy means roughly a trillion guesses. 60 bits is roughly a quintillion. Each extra bit doubles the work.
Modern guidance puts the bar at around 60 bits of entropy for a normal account, and 80 bits or more for a password manager master password, an email account, or anything protecting payment details. The figure on this page is the entropy after penalties for things like dictionary words and keyboard runs, because the raw figure is misleading for predictable passwords.
The myths this calculator is trying to kill
Myth: special characters make a password strong
They make it slightly stronger, by widening the per-character search space. They do not save a short or predictable password. "P@ssw0rd!" is still on every cracker's first-pass list.
Myth: changing your password every 90 days makes you safer
Forced rotation makes people pick weaker passwords with a predictable suffix, then write them down. NIST formally dropped that guidance in 2017. Pick a strong password, leave it alone, and only change it if you have reason to think it has been exposed.
Myth: random gibberish is the only safe option
A passphrase of four or five random unrelated words has plenty of entropy and is far easier to remember. The classic example: correct horse battery staple. Length wins.
Myth: hackers care about your specific password
Almost never. They steal a database of millions of password hashes and run them against the most common passwords first. If yours is on the list, you're done. If yours is unique and long, they move on.
What this tool does not check
This page checks whether your password is on a curated list of the most-used breached passwords. It does not query Have I Been Pwned or any external breach service, because doing so would require sending your password (or a hash prefix of it) over the internet, which would defeat the entire point of a browser-only tool. For a complete breach check, run the password through the Have I Been Pwned site directly.
It also cannot tell you whether you have used the same password somewhere else, whether it has been pasted into chat history, or whether your machine has malware reading your keystrokes. Those problems are real and sit outside what any web-based strength meter can solve. Use a password manager, turn on two-factor authentication, and stop reusing passwords across sites.
Practical advice in three lines
- Use a password manager. Generate a long random password per site. You only ever need to remember the master password.
- Make the master password a 5-word passphrase. Five random words gives you well over 60 bits of entropy and is straightforward to type.
- Turn on two-factor authentication everywhere it's offered. A leaked password without a second factor is a much smaller problem.
Related calculators
Strength is one diagnosis. These cover what to use, generate or measure next.
Frequently asked questions
Does this tool send my password anywhere?
No. The page does not perform any network requests once it has loaded. Everything happens in JavaScript on your device. Open the browser's network tab while typing to verify: there are no outbound requests. If you want to be extra cautious, disconnect from the internet before typing your real password.
Why does length matter more than special characters?
Each extra character roughly doubles the search space an attacker has to grind through. Adding one symbol to an eight-character password adds a small multiplier. Adding three more characters adds a much larger one. A 16-character all-lowercase password is harder to crack than a 10-character mix of upper, lower, digits and symbols.
What is entropy in bits?
Entropy in bits measures how many guesses an attacker has to try, on average, before they hit your password. Each bit doubles the work. 40 bits is roughly a trillion guesses; 60 bits is roughly a quintillion. The bar is 60 bits for a normal account and 80+ bits for a password manager master password.
What are the three threat models?
The slowest is an online attack against a service that throttles login attempts, capped at roughly 10 tries per second. The middle one is a poorly-configured service that allows tens of thousands of guesses per second. The fastest assumes the attacker has stolen the password database and is running a fast hash on a graphics card, doing 10 billion guesses per second.
Is the breach-list check exhaustive?
No. The page ships with a list of the most-used breached passwords, which catches the obvious cases. It does not query Have I Been Pwned, because that would mean sending your password over the network. For a complete check, use Have I Been Pwned directly.
What's a sensible target for a real account?
60 bits of adjusted entropy and a Strong rating is the floor for a normal account behind two-factor authentication. 80+ bits for a password manager master password, an email account or anything storing payment details. Use a password manager and generate per-site random passwords.