Free Password Strength Checker & Secure Password Generator

Test how strong your password is with real crack-time estimates. Generate secure passwords with custom settings. 100% private — all analysis runs locally in your browser, never sent to any server.

Password Strength Checker

Words here are treated as known to attackers, reducing estimated strength.

Security Analysis

Enter a password to see detailed analysis

Crack time estimates, strength score, and security feedback will appear here.

100% Private

Never sent to any server

Crack Time Estimates

4 attack scenarios

Password Generator

Customizable & secure

zxcvbn Algorithm

Industry-standard analysis

What Is a Password Strength Checker?

A password strength checker is a security tool that evaluates how resistant a password is to various types of attacks — estimating how long it would take a hacker to crack it using common cracking techniques. Unlike simple checkers that just count characters or look for uppercase letters, our tool uses zxcvbn — a sophisticated password strength estimation library developed by Dropbox — to realistically model how attackers actually crack passwords in the real world.

zxcvbn analyzes patterns in your password that humans find memorable but machines can guess efficiently: dictionary words, names, dates, keyboard patterns (qwerty, asdfgh), sequential numbers (123456), repeated characters, common substitutions (@ for a, 3 for e), and character sequences. It combines this analysis with frequency data from millions of real-world passwords to produce accurate, realistic crack-time estimates across four different attack scenarios.

All analysis happens 100% locally in your browser. Your password is never sent to any server, never logged, and never transmitted over the internet. This is the most fundamental security property a password checker can have — because a checker that transmits your passwords would be worse than useless.

Score 0 — Very Weak

Common passwords, keyboard patterns, single words. Cracked instantly by any attack. Examples: 'password', '123456', 'qwerty', 'abc123'.

Score 1 — Weak

Simple words with common substitutions or added numbers. Cracked in seconds to hours by dictionary attacks. Examples: 'p@ssw0rd', 'admin123', 'letmein!'.

Score 2 — Fair

Moderate complexity with some random elements. Takes days to weeks with offline attacks. Better but still vulnerable to targeted attacks.

Score 3–4 — Strong

High entropy with random characters, long length, or unpredictable patterns. Takes years to centuries even with fast offline cracking hardware.

How to Create a Strong Password — Best Practices

What Makes a Strong Password

  • At least 12 characters — 16+ is strongly recommended
  • Mix of uppercase, lowercase, numbers, and symbols
  • Random characters — not words, names, or dates
  • Unique per account — never reuse passwords
  • No personal information (name, birthday, pet names)
  • No keyboard patterns (qwerty, asdfgh, 12345)
  • No common substitutions (@ for a, 3 for e, 0 for o)
  • Passphrases: 4+ random unrelated words work well

Common Password Mistakes to Avoid

  • Using 'password', '123456', or top-10000 common passwords
  • Adding '1' or '!' to the end of a simple word
  • Substituting letters with look-alikes (P@ssw0rd)
  • Using your name, username, or email in the password
  • Using birth dates, anniversaries, or phone numbers
  • Using the same password across multiple accounts
  • Passwords shorter than 8 characters
  • Using sequential or repeated characters (aaaa, 1234)

Understanding Password Crack Time Estimates

Our tool provides crack time estimates for four real-world attack scenarios. Understanding the difference between these scenarios helps you choose the right password strength for your use case:

Online (Throttled) — 100 guesses/hour

Most online login systems implement rate limiting — locking accounts or requiring CAPTCHAs after 5–10 failed attempts. At 100 guesses per hour, even a weak 6-character password takes days to crack via brute force. This is why common password reuse is dangerous — attackers with leaked password lists don't need to brute force.

Online (Unthrottled) — 10 guesses/second

Some poorly secured systems don't implement rate limiting. At 10 guesses per second, simple passwords fall within minutes to hours. This scenario models APIs, admin panels, or legacy systems that lack proper brute-force protection.

Offline Slow Hash — 10,000 guesses/second

When a database is breached and password hashes are stolen, attackers crack them offline without any rate limits. Slow hashing algorithms (bcrypt, scrypt, Argon2) intentionally slow down cracking to ~10,000 hashes/second. This is why websites should use bcrypt — it makes even moderately strong passwords take years to crack.

Offline Fast Hash — 10 Billion guesses/second

Poorly secured systems use fast hashes (MD5, SHA1, unsalted SHA256) that can be cracked at billions of attempts per second on consumer GPU hardware. At 10 billion/second, an 8-character password with full character set falls in under an hour. This is why MD5 password storage is catastrophically insecure.

How to Use the Password Generator

Our built-in password generator creates cryptographically strong random passwords based on your specifications. Here's how to use it effectively:

  1. 1

    1. Set Password Length

    Choose a length between 6 and 128 characters. For most accounts, 16 characters is a good minimum. For high-security accounts (banking, email, password managers), use 20+ characters.

  2. 2

    2. Select Character Types

    Check the character types you want included: Uppercase (A–Z), Lowercase (a–z), Numbers (0–9), Symbols (!@#$%^&*). Including all four character types maximizes entropy and strength. Only exclude types if a specific website's rules require it.

  3. 3

    3. Generate and Review

    Click 'Generate Password' to create a random password. The strength meter immediately analyzes the generated password. If the strength score is below 3 (Strong), increase the length or add more character types and regenerate.

  4. 4

    4. Copy to Your Password Manager

    Click 'Copy' to copy the generated password to your clipboard, then paste it immediately into your password manager (1Password, Bitwarden, Dashlane, LastPass, etc.). Never type generated passwords from memory — that defeats the purpose of random generation.

Frequently Asked Questions — Password Strength Checker

Is my password sent to a server when I test it?

No. All password analysis runs entirely in your browser using the zxcvbn JavaScript library. Your password is never transmitted over the internet, never logged, and never visible to anyone but you. The page processes your input locally — there are no API calls made when you type.

How is password strength calculated?

We use zxcvbn, developed by Dropbox security researchers and released as open source. It analyzes passwords by pattern matching against 30,000+ common passwords, 100,000+ common English words, common names, popular patterns (qwerty, keyboard walks), years, and date patterns. It also penalizes common character substitutions and repetition. The result is a score from 0–4 with realistic crack time estimates.

How long should my password be?

Security recommendations have evolved significantly. The NIST Special Publication 800-63B (2017) recommends passwords of at least 8 characters, but modern best practice suggests 12–16 characters minimum for typical accounts, and 20+ characters for critical accounts like email, banking, and password managers. Length is the single most impactful factor in password strength — every additional character exponentially increases cracking difficulty.

Is a 12-character password secure enough?

A truly random 12-character password using all character types has approximately 79 bits of entropy and would take trillions of years to crack with an offline fast-hash attack. However, 'random' is key — 'P@ssword12!' has only 12 characters but is trivially weak because it follows predictable patterns. Use our generator to create genuinely random passwords.

What is the custom dictionary field for?

You can add words that you don't want in your password — your name, company name, pet names, hometown, sports teams, etc. These words are passed to zxcvbn as additional known patterns, so the strength estimate correctly penalizes passwords containing them. This gives you a more accurate strength estimate tailored to your personal risk profile.

Should I use a password manager?

Yes — absolutely. Password managers (1Password, Bitwarden, Dashlane, KeePass, Apple Keychain, Google Password Manager) allow you to use a different, fully random password for every account without memorizing them. They also warn you about reused, weak, and compromised passwords. Using our generator to create passwords and storing them in a password manager is the gold standard for personal account security.

What is entropy in password strength?

Entropy (measured in bits) quantifies how unpredictable a password is. Each additional bit of entropy doubles the number of guesses required to crack the password. A password with 40 bits of entropy requires about 1 trillion guesses to crack. Our tool displays entropy as a log10 guesses estimate — a value of 10 means 10^10 (10 billion) guesses required.

Are passphrases more secure than complex passwords?

A passphrase of 4–5 random common words (e.g. 'correct-horse-battery-staple') has high entropy due to length while being more memorable than random character strings. At 20+ characters, a random passphrase can be stronger than a shorter complex password. The key word is 'random' — personally meaningful phrases ('ilovemydog2019') are much weaker than truly random word combinations.