TOOLS / PASSWORD STRENGTH

Password Strength Tester

Grade a password for entropy, character variety, dictionary words, and common patterns. Pure JavaScript — the password never leaves your browser.

Lives only in your browser tab. We never send the password anywhere.

What it does

Password strength has two components: entropy (the mathematical difficulty of a brute-force guess given charset and length) and predictability (whether common patterns make the password easier to find than its entropy alone suggests). Our tester computes both: entropy from charset × length, and pattern detection (dictionary words, keyboard walks, sequential digits, year mentions, top-1000 leaked-password matches). It also estimates time-to-crack at three threat tiers — online (rate-limited 1k guesses/sec), offline-fast (10B/sec, a modest GPU), and offline-GPU-farm (1T/sec, a serious adversary like a state actor or top-tier ransomware crew).

How to use it

Type or paste the password. It’s graded as you type.
Read the score (0–100), grade (Very Weak → Excellent), entropy in bits, and effective charset size.
Review the "Issues" list — each issue lowers the effective strength below raw entropy.
Check the three time-to-crack tiers: anything cracking in under a year at GPU-farm rates needs replacement.

Common use cases

Personal password audit Test your current passwords. If any score below 75, change them and route through a password manager.

Policy compliance check NIST 800-63B specifies ≥ 8 chars if screened, ≥ 12 if not. Use our score + issues list as a "screen" before accepting a password.

User-onboarding form Embed the same scoring approach in your own signup forms (we publish the reference algorithm).

Security awareness training Show colleagues how their "clever" passwords actually compare to attacker capabilities.

Frequently asked questions

Is my password sent anywhere? +

No. All scoring runs in your browser tab. To verify, open the Network panel — there are no outbound requests from this page.

What entropy do I need? +

For a screened password (no leaks, no common patterns), ≥ 50 bits resists 10-year offline cracking at 10B guesses/sec. For high-value accounts, target ≥ 80 bits or use a Diceware passphrase.

Why doesn’t adding "!" make it strong? +

Substituting common patterns (P@ssw0rd!) doesn’t fool attackers — every cracker tries those rules first. Length + true randomness wins over symbol-substitution.

Should I memorize a long password or use a manager? +

Use a manager. Memorize ONE strong passphrase (Diceware works well) for your manager’s vault; let the manager generate 30+ char random passwords for everything else.