Home Free Tools Security Tools Password Strength Checker
100% Free

Password Strength Checker

Check how strong your password is with entropy analysis, crack time estimates, and specific improvement suggestions. Analysis runs in your browser — nothing is stored or transmitted.

Enter a password to check its strength
⚠ This is a very commonly used password — it would be cracked almost instantly.
Length
Entropy (bits)
Est. Crack Time
Suggestions

    Frequently Asked Questions

    What does password entropy mean?

    Entropy measures how unpredictable a password is, expressed in bits. Each bit doubles the number of possible values an attacker must try. A password with 40 bits of entropy means roughly 1 trillion (2^40) possible combinations. Adding more character types expands the pool each character is drawn from — a password using only lowercase letters has 26 options per character (about 4.7 bits), while one using all four character types has 95 options per character (about 6.5 bits). Length and variety together determine entropy, but length has the larger impact.

    How does crack time estimation work?

    Crack time estimates assume an offline attack where an attacker has obtained a hashed password database and is testing guesses at maximum speed. Modern GPU rigs can test billions of simple hashes per second — 10 billion per second is a conservative baseline for MD5. The estimate divides the total number of possible passwords (2^entropy) by the attack speed to get seconds, then converts to a human-readable duration. Real-world crack times vary based on the hashing algorithm used — bcrypt or Argon2 slow attackers to thousands of guesses per second, making even moderate passwords very secure.

    Why is "password123" considered weak even though it has numbers?

    Password strength comes from unpredictability, not just the presence of character types. "password123" appears in virtually every password breach dictionary because millions of people use it. Automated cracking tools don't just try random combinations — they start with known compromised passwords, common words, and simple substitutions. A password like "password123" would be cracked in seconds not through brute force, but through a dictionary attack. True strength requires randomness, length, and no recognizable patterns — which is why randomly generated passwords of 16+ characters from all character types are so much more resistant.