Password Tools

Password Strength Checker

See exactly how long your password would actually take to crack, whether it has already shown up in a real data breach, and which specific weaknesses are dragging your score down — all analyzed locally in your browser. Nothing you type here is ever sent to our servers.

Password Strength Checker
Length · Entropy · Breach check · Pattern detection · Crack time
Never stored, never sent
WeakFairGoodStrongExcellent
Type a password above to see its real strength
Click Check Password (or press Enter) to run the analysis
-- / 100
Signal breakdown
Signal
Detected value
Status
Length
Waiting for input…
--
Pending
Character variety
Waiting for input…
--
Pending
Entropy
Waiting for input…
--
Pending
Breach database exposure
Waiting for input…
--
Pending
Predictable patterns
Waiting for input…
--
Pending
Estimated crack time
Waiting for input…
--
Pending
Signal results will appear here after you click Check Password
This field does not block paste — password manager autofill works normally.

Scored using published entropy and crack-time models, not a black-box formula. View methodology

What this checker analyzes — 6 signals
Length
Length is the single biggest driver of crack time — every extra character multiplies the total keyspace an attacker has to search, far more than adding character-set complexity does. A 16-character lowercase-only password is harder to brute-force than an 8-character password mixing all four character classes.
Character variety
Checks whether your password draws from uppercase letters, lowercase letters, digits, and symbols. Variety expands the keyspace per character position, but only matters once length is already sufficient — four character classes in an 8-character password is still weak.
Entropy
Entropy is measured in bits and represents how many guesses, on average, a brute-force attacker needs before finding your password — calculated as log2(keyspace^length). It is the closest thing to an objective strength number, independent of any specific attacker's hardware.
Breach database exposure
Checks your password against Have I Been Pwned's database of 800M+ passwords seen in real breaches, using the k-anonymity model: only the first 5 characters of the SHA-1 hash leave your browser, and HIBP returns a list of matching suffixes for local comparison — your actual password is never transmitted or logged anywhere.
Predictable patterns
Detects the patterns that raw entropy math misses entirely: keyboard walks (qwerty, asdfgh), sequential runs (123456, abcdef), repeated characters (aaaa1111), and leetspeak substitutions of dictionary words (p4ssw0rd). Password crackers try these patterns before anything else — they cost almost nothing to check.
Estimated crack time
Translates entropy into a real-world number using published hardware benchmarks for both fast unsalted hashing (billions of guesses/sec on modern GPU rigs) and slow, properly-salted hashing algorithms like bcrypt or Argon2 (tens of thousands of guesses/sec) — because those two scenarios produce wildly different outcomes for the same password.
How passwords are actually cracked
Brute force
Every possible character combination is tried in order until one matches. Effective only against short passwords or weakly-salted hashes — a 8-character random password can fall in hours against an unsalted fast hash, while the same password against a properly salted bcrypt hash can take years.
Dictionary & wordlist attacks
Attackers try real words, names, and known-leaked passwords first — lists like RockYou (14M+ real passwords from a 2009 breach) — combined with common substitutions (a→4, e→3, o→0). This is why "Tr0ub4dor&3" is weaker than its entropy score alone suggests.
Credential stuffing
Attackers replay username/password pairs stolen from one breach against completely unrelated sites, betting on password reuse. This doesn't care how strong your password is — it only works if you've used the same password somewhere that was breached.
Rainbow table attacks
Precomputed tables map billions of hash outputs back to plaintext instantly. Modern systems defend against this with per-password salting, but any site still using unsalted MD5 or SHA-1 for password storage is fully exposed to this method regardless of password strength.
How detectable is each password style?
Example Entropy Est. crack time Verdict Why
123456 ~7 bits instant Critical Top entry on every breach password list. Tried before any brute-force attempt even begins.
password123 ~24 bits instant Critical Dictionary word plus a predictable numeric suffix — one of the first patterns any wordlist attack tries.
Tr0ub4dor&3 ~52 bits ~8 hours (fast hash) Weak Reasonable entropy score, but it is a dictionary word with leetspeak substitution — a well-known targeted pattern.
random 16-char (a-z, A-Z, 0-9) ~95 bits ~34,000 years (fast hash) Strong No dictionary structure and no shortcuts available — an attacker is forced into pure brute force.
6-word diceware passphrase ~77 bits, unique wording trillions of years Excellent Randomly generated from a fixed wordlist — high entropy and genuinely memorable, the combination most password advice fails to deliver.
Stop remembering weak passwords — store strong ones instead

A password manager generates and autofills a unique, high-entropy password for every site, so length and randomness stop being something you have to remember. The three below are independently well-regarded — pick based on the workflow that fits you, not just the cheapest plan.

1Password logo
1Password

Travel Mode hides entire vaults when crossing borders, and family/business sharing is best-in-class.

  • Travel Mode vault hiding
  • Watchtower breach monitoring
  • Best-in-class team sharing
From $2.99/mo
Get 1Password
Dashlane logo
Dashlane

Bundles a built-in VPN and dark web monitoring into the same subscription — fewer apps to manage.

  • Built-in VPN included
  • Dark web monitoring
  • One-click password changer
From $4.99/mo
Get Dashlane
Frequently asked questions