Password Strength Checker
Check password strength locally. See entropy bits, estimated crack time, character class coverage, and concrete suggestions to make it stronger. Nothing is sent or stored.
Check password strength
Runs entirely in your browser. Nothing is sent, stored, or logged.
Start typing to see entropy, crack time, and a per-class breakdown.
Frequently Asked Questions about the Password Strength Checker
How is entropy calculated?
Entropy in bits equals log2(charsetSize) * length. Lowercase adds 26, uppercase 26, digits 10, symbols 32. A 12-character password using all four classes draws from 94 characters, giving about 78 bits.
What entropy is actually safe?
NIST SP 800-63B retired strict composition rules and now emphasizes length over character mix. Practical floor: 60 bits; 80+ is comfortable against offline attacks on modern hashes; 128+ is overkill for almost everything.
Should I use a password or a passphrase?
A passphrase of 4-6 random words from a large list (like EFF's 7,776-word list) usually beats a short random password on both entropy and memorability. Four random words is about 51 bits, six is about 77.
Does a strong password replace 2FA?
No. Even a very strong password can leak through phishing, malware, or a breach. Pair it with a second factor (hardware key, TOTP app, or passkey) on every important account.
Where does my password go when I check it?
Nowhere. Evaluation runs entirely in your browser via JavaScript. The password is never sent over the network, stored in localStorage, or logged. Close the tab and it is gone.