Password Strength Checker
Check password strength with real-time score and crack time estimate.
Your password never leaves your browser — analysis runs locally.
Common password mistakes to avoid
- Using personal information — birthdays, names, phone numbers are guessable from social media and tried first in targeted attacks.
- Simple substitutions— “P@ssw0rd” is well-known to crackers. Dictionary attacks now include common substitutions (a→@, o→0, i→1).
- Reusing passwords — when one site is breached, attackers try the same password on other sites (credential stuffing).
- Short passwords — an 8-character password with only letters can be cracked in seconds with modern hardware.
The 2025 password guide
- Minimum 12 characters; 16+ for important accounts
- Use a password manager — never reuse passwords
- Enable two-factor authentication (2FA) wherever possible
- Use hardware security keys (YubiKey) for critical accounts
- Check if your email/password appeared in known breaches at Have I Been Pwned
Frequently asked questions
- Is my password sent to a server?
- No. This tool runs entirely in your browser using JavaScript. Your password is never transmitted over the network or stored anywhere. You can verify this by disconnecting from the internet and trying it — it will still work.
- What makes a password strong?
- A strong password has: (1) at least 12 characters (16+ is better), (2) a mix of uppercase and lowercase letters, (3) at least one number, (4) at least one special character (!@#$%^&*), and (5) no predictable patterns or dictionary words. The longer and more random, the better.
- How is crack time estimated?
- Crack time is estimated based on the size of the character pool used (lowercase = 26, uppercase = 26, digits = 10, symbols = 32) and the password length. The number of possible combinations is pool^length. Assuming a modern GPU can test 10 billion guesses per second, the time to exhaust all possibilities is calculated. This is a conservative offline brute-force estimate.
- What is a passphrase and is it better than a password?
- A passphrase is a sequence of 4–6 random words (e.g., 'correct horse battery staple'). It can be extremely secure (entropy from word combinations is high) and much easier to remember than a random character string. A 4-word passphrase from a 2,000-word dictionary has 2000^4 = 16 trillion combinations, which is stronger than most 10-character passwords.
- Should I use a password manager?
- Yes — password managers (Bitwarden, 1Password, KeePass) generate and store unique, highly random passwords for every site. You only need to remember one master password. This eliminates password reuse, which is the most common cause of account breaches.
Related tools
- JSON Formatter
Format, beautify, minify, and validate JSON in your browser
- QR Code Generator
Generate QR codes for URLs, text, Wi-Fi, and more. Download as PNG.
- Password Generator
Generate strong, random passwords with custom length and character sets.
- Base64 Encoder / Decoder
Encode text to Base64 or decode Base64 back to plain text.
- URL Encoder / Decoder
Encode or decode URLs and query strings with percent-encoding.