Password Strength Meter
Estimate password strength using entropy and common-password heuristics. See an approximate crack time. All checks run in your browser.
How to use Password Strength
- Type or paste a password into the box. It is analyzed entirely in your browser — nothing is sent anywhere.
- Read the entropy estimate in bits — the single best measure of how hard the password is to guess.
- Check the crack-time estimate, which translates those bits into a real-world "how long would an attacker need".
- Review the weakness flags: dictionary words, common patterns, repeated characters, and keyboard runs.
- Adjust the password — usually by making it longer — and watch the strength climb in real time.
How password strength is actually measured
Most "strength meters" you see at signup are theatre — they reward you for adding a capital letter and a number, then turn green. Real strength is not about which character types you use; it is about how many guesses an attacker would have to make before stumbling onto your password. That number has a name: entropy.
Entropy in plain terms
Entropy is measured in bits. Each bit doubles the number of possibilities an attacker must try. The math is simple: if a password is drawn from an alphabet of N possible characters and is L characters long, the entropy is L × log2(N) bits — but only if every character is chosen randomly. Here is what that looks like in practice:
Lowercase only (26): log2(26) ≈ 4.7 bits per character
Lower + upper (52): log2(52) ≈ 5.7 bits per character
Letters + digits (62): log2(62) ≈ 5.95 bits per character
All printable (~95): log2(95) ≈ 6.6 bits per character
A random 12-char password from all printable characters:
12 × 6.6 ≈ 79 bits → ~10^23 possible passwordsThe catch in that formula is the word random. If you chose the password yourself, it is almost never random — and the real entropy is far lower than the formula suggests, because attackers do not guess randomly either.
Why human-chosen passwords are weaker than they look
Password-cracking tools do not start with "aaaaaaaa" and count up. They start with what humans actually do: the most common passwords, leaked password lists, dictionary words, names, dates, sports teams, and predictable transformations (capitalize the first letter, add a year, swap o→0 and a→@). A password like P@ssw0rd2024!ticks every "rule" box and is still cracked in seconds, because every one of those substitutions is the first thing an attacker tries.
This is why our meter flags patterns, not just character classes. A 14-character password made of a dictionary word plus a date can be weaker than a 10-character truly random string.
The two rules that beat everything else
- Make it longer before you make it weirder. The meter rewards extra characters far more than extra symbol types, because length grows the keyspace exponentially while a new character class grows it only once.
- Never reuse a winning password. A high score here means nothing if the same string guards five sites: one breach and credential-stuffing bots will try it against your email and bank within hours. Score isolates damage only when the password is unique.
So what should you actually do?
Stop auditing passwords you invented and let a generator hand you ones a human could never produce. Most accounts deserve a fully random string; the two or three you log into by hand deserve a word-based phrase. Both belong in a manager, and the only secret left in your head is the phrase that unlocks the manager itself.
For real-world crack-time numbers — what 8, 12, and 16 characters actually buy you against a GPU rig, and why the hashing algorithm a breached site used matters as much as your password — see our guide: how long would it take to crack your password?
Related security tools
- Password Generator — once you see a weak score, replace it with a one-click random string.
- Passphrase Generator — earn a high score with words you can still remember.
- PIN Generator — the same entropy thinking applied to short numeric codes.
Frequently asked questions
Is this safe to use on a real password?
What is password entropy?
What "crack time" do you assume?
Why is a long sentence stronger than a short complex password?
Do special characters and numbers actually help?
My password scored high but I have used it on several sites. Is it safe?
What makes a password weak even if it is long?
Should I change my passwords regularly?
How many bits of entropy is "enough"?
Related tools
More tools you might find useful in the same flow.
Password Generator
Free password generator using your browser's SubtleCrypto. Pick length, character classes, and exclude lookalikes. Passwords never leave the page.
Passphrase Generator
Diceware passphrase generator — create memorable, strong passphrases from a word list with adjustable length and separators. Generated locally, in private.
Caesar Cipher
Free online Caesar cipher: encode or decode text with any ROT-N shift, with one-click ROT13. All encryption and decoding runs in your browser.
TOTP Generator
TOTP generator online — create RFC 6238 time-based one-time passwords from a secret key, with a live countdown. The secret never leaves your browser.
Built by Muhammad Tahir · About