Password Strength Checker
Check password strength with real-time score and crack time estimate.
Your password never leaves your browser — analysis runs locally.
Common password mistakes to avoid
- Using personal information — birthdays, names, phone numbers are guessable from social media and tried first in targeted attacks.
- Simple substitutions— “P@ssw0rd” is well-known to crackers. Dictionary attacks now include common substitutions (a→@, o→0, i→1).
- Reusing passwords — when one site is breached, attackers try the same password on other sites (credential stuffing).
- Short passwords — an 8-character password with only letters can be cracked in seconds with modern hardware.
The 2025 password guide
- Minimum 12 characters; 16+ for important accounts
- Use a password manager — never reuse passwords
- Enable two-factor authentication (2FA) wherever possible
- Use hardware security keys (YubiKey) for critical accounts
- Check if your email/password appeared in known breaches at Have I Been Pwned
How crack time is estimated
The estimated crack time shown is based on an offline brute-force attack using a modern GPU (approximately 10 billion guesses per second). The calculation considers the size of the character pool you use — lowercase only (26), mixed case (52), alphanumeric (62), or with symbols (94) — raised to the power of your password length. A 10-character password using all character types has 94^10 ≈ 53 quadrillion combinations. At 10 billion guesses per second, that takes about 61 days. A 16-character all-types password takes millions of years.
Why your password still matters even with 2FA
Two-factor authentication is a strong second layer, but it doesn't make your password irrelevant. A weak password is more likely to be included in credential stuffing lists from previous breaches — attackers try known password/email pairs before attempting brute force. SMS-based 2FA can also be bypassed via SIM swapping. A strong, unique password combined with app-based 2FA (Google Authenticator, Authy) or a hardware key gives the best protection for high-value accounts like banking, email, and investment platforms.
Passphrase vs random string — which is better?
A random 12-character string like k#9Lm$2pQx!v has very high entropy but is nearly impossible to memorise. A 5-word passphrase like correct-horse-battery-staple-rain is easier to remember and has comparable entropy (5 words from a 2,000-word list = 2000^5 combinations). For accounts where you must type the password manually (computer login), passphrases win. For everything else, use a password manager with auto-generated random strings.
Frequently asked questions
- Is my password sent to a server?
- No. This tool runs entirely in your browser using JavaScript. Your password is never transmitted over the network or stored anywhere. You can verify this by disconnecting from the internet and trying it — it will still work.
- What makes a password strong?
- A strong password has: (1) at least 12 characters (16+ is better), (2) a mix of uppercase and lowercase letters, (3) at least one number, (4) at least one special character (!@#$%^&*), and (5) no predictable patterns or dictionary words. The longer and more random, the better.
- How is crack time estimated?
- Crack time is estimated based on the size of the character pool used (lowercase = 26, uppercase = 26, digits = 10, symbols = 32) and the password length. The number of possible combinations is pool^length. Assuming a modern GPU can test 10 billion guesses per second, the time to exhaust all possibilities is calculated. This is a conservative offline brute-force estimate.
- What is a passphrase and is it better than a password?
- A passphrase is a sequence of 4–6 random words (e.g., 'correct horse battery staple'). It can be extremely secure (entropy from word combinations is high) and much easier to remember than a random character string. A 4-word passphrase from a 2,000-word dictionary h^4 = 16 trillion combinations, which is stronger than most 10-character passwords.
- Should I use a password manager?
- Yes — password managers (Bitwarden, 1Password, KeePass) generate and store unique, highly random passwords for every site. You only need to remember one master password. This eliminates password reuse, which is the most common cause of account breaches.
Related tools
- JSON Formatter, Validator & Repair Tool
Format, minify, validate, and repair JSON instantly in your browser. Sort keys alphabetically, auto-format on paste, download as file, escape/unescape strings — free, no sign-up, 100% client-side.
- QR Code Generator
Generate QR codes for URLs, text, Wi-Fi, and more. Download as PNG.
- Password Generator
Generate strong, random passwords with custom length and character sets.
- Base64 Encoder / Decoder
Encode text to Base64 or decode Base64 back to plain text.
- URL Encoder / Decoder
Encode or decode URLs and query strings with percent-encoding.