Test how strong your password is with real crack-time estimates. Generate secure passwords with custom settings. 100% private — all analysis runs locally in your browser, never sent to any server.
Words here are treated as known to attackers, reducing estimated strength.
Enter a password to see detailed analysis
Crack time estimates, strength score, and security feedback will appear here.
100% Private
Never sent to any server
Crack Time Estimates
4 attack scenarios
Password Generator
Customizable & secure
zxcvbn Algorithm
Industry-standard analysis
A password strength checker is a security tool that evaluates how resistant a password is to various types of attacks — estimating how long it would take a hacker to crack it using common cracking techniques. Unlike simple checkers that just count characters or look for uppercase letters, our tool uses zxcvbn — a sophisticated password strength estimation library developed by Dropbox — to realistically model how attackers actually crack passwords in the real world.
zxcvbn analyzes patterns in your password that humans find memorable but machines can guess efficiently: dictionary words, names, dates, keyboard patterns (qwerty, asdfgh), sequential numbers (123456), repeated characters, common substitutions (@ for a, 3 for e), and character sequences. It combines this analysis with frequency data from millions of real-world passwords to produce accurate, realistic crack-time estimates across four different attack scenarios.
All analysis happens 100% locally in your browser. Your password is never sent to any server, never logged, and never transmitted over the internet. This is the most fundamental security property a password checker can have — because a checker that transmits your passwords would be worse than useless.
Common passwords, keyboard patterns, single words. Cracked instantly by any attack. Examples: 'password', '123456', 'qwerty', 'abc123'.
Simple words with common substitutions or added numbers. Cracked in seconds to hours by dictionary attacks. Examples: 'p@ssw0rd', 'admin123', 'letmein!'.
Moderate complexity with some random elements. Takes days to weeks with offline attacks. Better but still vulnerable to targeted attacks.
High entropy with random characters, long length, or unpredictable patterns. Takes years to centuries even with fast offline cracking hardware.
Our tool provides crack time estimates for four real-world attack scenarios. Understanding the difference between these scenarios helps you choose the right password strength for your use case:
Most online login systems implement rate limiting — locking accounts or requiring CAPTCHAs after 5–10 failed attempts. At 100 guesses per hour, even a weak 6-character password takes days to crack via brute force. This is why common password reuse is dangerous — attackers with leaked password lists don't need to brute force.
Some poorly secured systems don't implement rate limiting. At 10 guesses per second, simple passwords fall within minutes to hours. This scenario models APIs, admin panels, or legacy systems that lack proper brute-force protection.
When a database is breached and password hashes are stolen, attackers crack them offline without any rate limits. Slow hashing algorithms (bcrypt, scrypt, Argon2) intentionally slow down cracking to ~10,000 hashes/second. This is why websites should use bcrypt — it makes even moderately strong passwords take years to crack.
Poorly secured systems use fast hashes (MD5, SHA1, unsalted SHA256) that can be cracked at billions of attempts per second on consumer GPU hardware. At 10 billion/second, an 8-character password with full character set falls in under an hour. This is why MD5 password storage is catastrophically insecure.
Our built-in password generator creates cryptographically strong random passwords based on your specifications. Here's how to use it effectively:
1. Set Password Length
Choose a length between 6 and 128 characters. For most accounts, 16 characters is a good minimum. For high-security accounts (banking, email, password managers), use 20+ characters.
2. Select Character Types
Check the character types you want included: Uppercase (A–Z), Lowercase (a–z), Numbers (0–9), Symbols (!@#$%^&*). Including all four character types maximizes entropy and strength. Only exclude types if a specific website's rules require it.
3. Generate and Review
Click 'Generate Password' to create a random password. The strength meter immediately analyzes the generated password. If the strength score is below 3 (Strong), increase the length or add more character types and regenerate.
4. Copy to Your Password Manager
Click 'Copy' to copy the generated password to your clipboard, then paste it immediately into your password manager (1Password, Bitwarden, Dashlane, LastPass, etc.). Never type generated passwords from memory — that defeats the purpose of random generation.
No. All password analysis runs entirely in your browser using the zxcvbn JavaScript library. Your password is never transmitted over the internet, never logged, and never visible to anyone but you. The page processes your input locally — there are no API calls made when you type.
We use zxcvbn, developed by Dropbox security researchers and released as open source. It analyzes passwords by pattern matching against 30,000+ common passwords, 100,000+ common English words, common names, popular patterns (qwerty, keyboard walks), years, and date patterns. It also penalizes common character substitutions and repetition. The result is a score from 0–4 with realistic crack time estimates.
Security recommendations have evolved significantly. The NIST Special Publication 800-63B (2017) recommends passwords of at least 8 characters, but modern best practice suggests 12–16 characters minimum for typical accounts, and 20+ characters for critical accounts like email, banking, and password managers. Length is the single most impactful factor in password strength — every additional character exponentially increases cracking difficulty.
A truly random 12-character password using all character types has approximately 79 bits of entropy and would take trillions of years to crack with an offline fast-hash attack. However, 'random' is key — 'P@ssword12!' has only 12 characters but is trivially weak because it follows predictable patterns. Use our generator to create genuinely random passwords.
You can add words that you don't want in your password — your name, company name, pet names, hometown, sports teams, etc. These words are passed to zxcvbn as additional known patterns, so the strength estimate correctly penalizes passwords containing them. This gives you a more accurate strength estimate tailored to your personal risk profile.
Yes — absolutely. Password managers (1Password, Bitwarden, Dashlane, KeePass, Apple Keychain, Google Password Manager) allow you to use a different, fully random password for every account without memorizing them. They also warn you about reused, weak, and compromised passwords. Using our generator to create passwords and storing them in a password manager is the gold standard for personal account security.
Entropy (measured in bits) quantifies how unpredictable a password is. Each additional bit of entropy doubles the number of guesses required to crack the password. A password with 40 bits of entropy requires about 1 trillion guesses to crack. Our tool displays entropy as a log10 guesses estimate — a value of 10 means 10^10 (10 billion) guesses required.
A passphrase of 4–5 random common words (e.g. 'correct-horse-battery-staple') has high entropy due to length while being more memorable than random character strings. At 20+ characters, a random passphrase can be stronger than a shorter complex password. The key word is 'random' — personally meaningful phrases ('ilovemydog2019') are much weaker than truly random word combinations.