Password Strength Checker

Check any password against 8 security criteria. See your score, crack time estimate, and entropy bits instantly -- all in your browser, nothing ever sent to a server.

Free Tool

Quick Answer

What makes a password strong?

A strong password has at least 12 characters and uses uppercase letters, lowercase letters, numbers, and special symbols. Avoid dictionary words and common patterns like 123 or qwerty. A 16-character random password scores Very Strong and would take centuries to crack with modern hardware.

Password Strength Checker

All analysis happens in your browser -- your password is never sent anywhere

Enter a password above

Criteria checklist

8+ characters
12+ characters
16+ characters
Uppercase letters (A-Z)
Lowercase letters (a-z)
Numbers (0-9)
Special characters (!@#...)
No common patterns

Your password is never stored or transmitted. All analysis runs locally in your browser.

About this tool

This tool analyzes any password against eight security criteria: three length thresholds, four character type checks (uppercase, lowercase, numbers, special characters), and a common pattern detector. Each criterion earns one point out of eight, and the score maps to a strength label from Very Weak to Very Strong. You also see an estimated crack time, an entropy score in bits, and an option to generate a cryptographically random 16-character password. Everything runs entirely in your browser -- your password never leaves your device.

The tool is useful for anyone creating a new account and wanting to verify their password meets modern security standards, developers testing password strength requirements in their applications, security teams auditing internal policies, and individuals checking whether existing passwords are strong enough to keep. The built-in generator uses the Web Crypto API to create genuinely random passwords that pass all eight criteria by default.

How it works

  1. 1

    Type or paste your password

    Enter any password into the input field. Use the eye icon to toggle visibility. Stats update in real time with every keystroke.

  2. 2

    Review your strength score

    Your score out of 8 and the color-coded bar update instantly. Red means Very Weak, orange is Weak, yellow-green is Strong, and emerald is Very Strong.

  3. 3

    Check the criteria list

    The checklist shows exactly which of the 8 criteria your password meets with green checks and which it fails with red Xs. Use this to target specific improvements.

  4. 4

    Generate a better password if needed

    Click Generate Strong Password to create a random 16-character password with all character types. It is automatically copied to your clipboard.

Password strength criteria

CriterionPointsWhy it matters
8+ characters+1Absolute minimum to avoid instant brute force attacks
12+ characters+1Recommended minimum for most accounts by security experts
16+ characters+1Ideal for high-value accounts like email and banking
Uppercase letters (A-Z)+1Expands the character set from 26 to 52 possible characters
Lowercase letters (a-z)+1Required for full coverage of the letter character set
Numbers (0-9)+1Expands the character set to 62 possible characters
Special characters (!@#...)+1Expands the character set to 95, the largest possible set
No common patterns+1Blocks dictionary and pattern-based attacks like 123 or qwerty

Common password mistakes

MistakeWhy it is weakBetter alternative
Dictionary words (password, welcome)In every cracking wordlist, cracked in millisecondsRandom unrelated character sequence
Letter substitutions (p@ssw0rd)Still in modern dictionaries, highly predictableTruly random mix of all character types
Personal information (name, birthday)Guessable from public profiles or social mediaRandom characters with no personal meaning
Short passwords (under 8 characters)Brute forced in under a second on modern hardwareMinimum 12 characters for any real security
Sequential patterns (123456, qwerty)First tested in any automated attackRandom sequence with no keyboard pattern
Reusing passwords across accountsOne data breach exposes all your other accountsUnique password for every account you own

Frequently asked questions

What makes a password strong?
A strong password has at least 12 characters and combines uppercase letters, lowercase letters, numbers, and special symbols. It avoids dictionary words, common patterns like 123 or qwerty, and personal information. A 16-character random password with all four character types is extremely difficult to crack.
How long does it take to crack a password?
A simple 8-character lowercase password can be cracked in under a second with modern hardware. A 12-character password with mixed characters takes months. A 16-character password using all character types would take centuries even with the most powerful computers available today.
What is password entropy?
Password entropy measures unpredictability in bits. It is calculated as log2 of the character set size raised to the power of password length. Higher entropy means more possible combinations. A password with 60+ bits of entropy is considered strong. 80+ bits is very strong and resistant to brute force attacks.
Is my password safe to enter here?
Yes. This tool runs entirely in your browser using JavaScript. Your password is never sent to any server, stored in any database, or transmitted over the internet. You can verify this by disconnecting from the internet and the tool will still work.
What are common password mistakes to avoid?
Common mistakes include using dictionary words, replacing letters with predictable numbers (a to 4, e to 3), using personal information like birthdays or names, reusing passwords across sites, and using patterns like 123456 or qwerty. All of these are tested by common password cracking tools.
How often should I change my password?
Current NIST guidelines (2024) recommend changing passwords only when there is evidence of compromise, not on a fixed schedule. Frequent mandatory changes often lead to weaker passwords. Instead, focus on using a unique strong password for every account and enabling two-factor authentication.
What is the difference between a password manager and this tool?
This tool checks the strength of a password you already have or are considering. A password manager stores and generates passwords for you, auto-fills login forms, and alerts you to reused or compromised passwords. Both serve different purposes and are complementary security tools.
How many characters should a password be?
NIST recommends a minimum of 8 characters but security experts recommend 12 to 16 characters for most accounts and 20 or more for high-value accounts like email, banking, and password managers. Length is the single most effective factor in password security.

Related guides

Related tools