Skip to main content

Password Strength

Weak passwords are responsible for over 80% of hacking-related data breaches. Our password strength checker evaluates your password against NIST 2024 guidelines: entropy, character variety, common password databases, and keyboard pattern detection — giving you actionable feedback rather than just a color-coded bar.

Strength

At least 12 characters
Uppercase letter
Lowercase letter
Number
Special character
Share this tool
Security

About the Password Strength Checker

Weak passwords are responsible for over 80% of hacking-related data breaches. Our password strength checker evaluates your password against NIST 2024 guidelines: entropy, character variety, common password databases, and keyboard pattern detection — giving you actionable feedback rather than just a color-coded bar.

How to use it

  1. Type a password (never enter a real password on unfamiliar sites — ours runs entirely client-side).
  2. See entropy in bits, crack time estimates for different attack types, and specific weaknesses.
  3. View suggestions: which specific changes would most improve strength.
  4. Generate a strong random password or passphrase as an alternative.

Formula & methodology

Entropy = log₂(character_space^length). Character spaces: lowercase only = 26, + uppercase = 52, + digits = 62, + symbols = 94. Example: 8-char lowercase = 26^8 = 208 billion combinations = 37.6 bits. Each added character doubles entropy within the same character space.

Common use cases

  • Evaluating a new password before setting it on an account
  • Understanding why "P@ssw0rd" scores low despite seeming complex
  • Security training: demonstrating password concepts to employees
  • Building a password policy: setting minimum entropy requirements
  • Comparing passphrase vs random character password strategies

Frequently asked questions

Length increases entropy exponentially while complexity increases it linearly. "correct-horse-battery-staple" (4 random words, ~44 entropy bits) is significantly harder to crack than "P@ss1!" (6 chars with complexity, ~30 bits). A 16-character lowercase-only random password beats an 8-character "complex" one by billions of combinations.
Crack time estimates assume an offline attack using specialized GPU hardware capable of billions of guesses per second (bcrypt-hashed: ~20,000/s; MD5-hashed: ~10 billion/s). "100 years" means the password is strong against current attacks. But quantum computers may reduce these estimates for some algorithms — use a password manager and enable 2FA regardless.

Related tools

Related tools

All Tools →

Embed this tool on your site

Free for personal and commercial use. Just copy the snippet below.