Password Strength Analyzer

Check password entropy and estimated crack time

How to use

Type or paste a password to instantly see its strength rating, entropy bits, estimated crack time, and character diversity breakdown. The analyzer checks for common patterns, dictionary words, and keyboard sequences. All analysis runs entirely in your browser. Your password is never sent to any server.

Formula

H=L×log2(R)where L=length,  R=charset sizeH = L \times \log_2(R) \quad \text{where } L = \text{length}, \; R = \text{charset size}

Examples

Weak password analysis

The password "password123" has 52.6 bits of entropy but is detected as a common pattern. Effective entropy drops to 26.3 bits, making it crackable in under a second by a modern GPU cluster.

Strong random password

A 16-character random password like "X#9kL$mN7pQ@rT2v" with mixed case, digits, and symbols has 105 bits of entropy. Estimated crack time: trillions of years at 10 billion guesses per second.

Passphrase approach

"correct-horse-battery-staple-2024!" is 35 characters with 198 bits of entropy. Passphrases are easy to remember and extremely hard to crack. Four or more random words with a separator and a number is an excellent strategy.

Frequently asked questions

How is password entropy calculated?

Entropy measures the randomness of a password in bits. It equals the password length multiplied by log base 2 of the character set size. A password using lowercase (26) + uppercase (26) + digits (10) + symbols (33) = 95 possible characters. Each character adds log2(95) = 6.57 bits of entropy. A 12-character password from this set has about 79 bits.

What does the crack time estimate mean?

The crack time assumes an attacker using a modern GPU cluster capable of 10 billion password guesses per second (achievable with 8 high-end GPUs running hashcat). On average, an attacker needs to try half the keyspace to find your password. Real-world crack times depend on the hashing algorithm: bcrypt is much slower to crack than MD5.

Is my password sent to a server?

No. This tool runs entirely in your browser using JavaScript. Your password never leaves your device. You can verify this by disconnecting from the internet and using the tool offline. We never collect, store, or transmit passwords.

What makes a password strong?

Length is the single most important factor, followed by character diversity and randomness. A 20-character lowercase passphrase (94 bits) is stronger than an 8-character password with all character types (52 bits). Avoid dictionary words, names, dates, keyboard patterns (qwerty), and repeated characters. Use a password manager to generate and store unique passwords.

Are passphrases better than random passwords?

Passphrases (4+ random words like "correct-horse-battery-staple") are excellent because they are both strong and memorable. A 4-word passphrase from a 7,776-word list has about 51 bits of entropy. Adding separators, numbers, or a fifth word pushes it much higher. The key is that the words must be truly random, not a meaningful phrase.

About this tool

Analyze your password strength with entropy calculation, estimated crack time, and character diversity scoring. Get suggestions to make your passwords stronger.

All calculations are performed locally in your browser. Your data never leaves your device.

Related tools

Password Generator

Generate strong random passwords instantly

Popular
All Everyday Life tools