DEVESSENTIALS

Password Strength Checker

Find out how strong your password really is. Get an estimated crack time, strength score and a checklist of what to improve. Your password never leaves the browser — nothing is sent to any server.

Your Password

Type a password above to check its strength

Related Tools

Password Generator

Generate a strong password instantly.

Hash Generator

Hash your passwords before storing.

Frequently Asked Questions

How is password strength actually calculated — what do 'bits of entropy' mean?

Entropy is measured in bits and represents the size of the search space an attacker must exhaust. For a truly random password, entropy = length × log₂(charset size). A lowercase-only 8-character password has about 37.6 bits; adding uppercase, digits, and symbols (95-character ASCII) gives about 52.4 bits. Each additional bit doubles the number of guesses required. Modern cracking hardware can attempt roughly 1 trillion hashes per second against fast hashes like MD5, meaning 60-bit entropy provides ~13 days of resistance and 80-bit entropy provides ~38,000 years.

Why does P@ssword1 score poorly despite having uppercase, lowercase, digits and a symbol?

Because modern strength estimators like zxcvbn (developed by Dropbox) evaluate passwords against real-world cracking strategies, not just character set composition. P@ssword1 is a known pattern: a dictionary word with predictable letter-to-symbol substitutions (a→@) and a trailing digit. Attackers use rule-based attacks in tools like Hashcat that specifically target these patterns. Entropy calculated from charset size only applies to truly random passwords — for human-chosen passwords, effective entropy is far lower because humans follow predictable patterns.

What is the difference between an online attack and an offline attack?

An online attack requires guessing through a live login endpoint, which typically enforces rate limiting, lockouts, or CAPTCHAs — limiting an attacker to tens or hundreds of guesses per second. An offline attack occurs when an attacker has obtained a copy of the password hash database and can run cracking software locally at billions or trillions of hashes per second with no throttling. A password that is strong against online attacks may be weak against offline attacks. Strength meters calibrate crack time estimates assuming offline attacks against modern hardware.

Does password length matter more than complexity?

Length has a greater effect than complexity at most practical ranges. Adding one character to a lowercase-only password adds log₂(26) ≈ 4.7 bits of entropy; switching from lowercase-only to full printable ASCII only adds about 1.87 bits per character. A random 16-character lowercase password (75 bits) is stronger than a random 8-character full-symbol password (52 bits). NIST SP 800-63B (2017) explicitly moved away from complexity requirements toward encouraging longer passwords and passphrases, because complexity rules cause predictable substitution patterns while length compounds entropy multiplicatively.

Is my password sent to a server when I use a strength checker?

With this tool, no. Everything runs in your browser using JavaScript — no network request is made with your password. You can verify this by opening DevTools → Network tab and confirming no requests fire when you type. If a tool does send the password to a server (detectable via the Network tab), treat that as a serious red flag. Your password should never leave your browser during a strength check.