SamCalculator

Password Strength Checker

Instantly analyze password strength, security risks, crack time estimates, and safety recommendations using advanced password analysis.

Password

Secure Password Generator

Local · CSPRNG
18
616324864

Uppercase A–Z

Lowercase a–z

Numbers 0–9

Symbols !@#$%

Exclude ambiguous characters

Skip 0/O, 1/l/I, |, quotes, and brackets that look alike

Password Security, Explained

What makes a password strong?

Three properties — length, randomness, and uniqueness. A 16+ character string from a wide alphabet has so many possible permutations that even a billion-guesses-per-second attacker would need centuries. Predictable substitutions (P@ssw0rd) add almost no real entropy, because attackers feed the same substitutions into their cracking tools.

How hackers crack passwords

Modern attacks rarely guess in your face on a login page. Instead, an attacker steals a database of hashed passwords, runs offline brute-force, dictionary, and rule-based attacks on GPUs, and tries the recovered passwords on hundreds of other sites in a process called credential stuffing.

What is password entropy?

Entropy is measured in bits and represents the unpredictability of a password. Each bit doubles the work an attacker must do. 40 bits is breakable, 60 bits is solid, 80 bits is comfortable for most accounts, and 100+ bits is overkill. Entropy depends on how the password was generated — re-using a word collapses the effective number, regardless of length.

Common password mistakes

Using personal info (names, birthdays, pet names), keyboard patterns (qwerty, 123456), single-word passwords, dictionary-based passwords with simple substitutions, or — most catastrophically — re-using the same password across multiple sites. Any of these reduces real entropy by orders of magnitude.

Why password reuse is dangerous

When a single site is breached and your password is leaked, attackers automatically test that same email/password pair against hundreds of services in seconds. One leaked password on a niche forum can quietly unlock your email, bank, and cloud accounts within hours.

Best password practices

Use a password manager to generate and store a unique 20+ character password per account, turn on two-factor authentication everywhere, and adopt passkeys when offered. Memorize only two passwords: your password manager master and your device login.

How password managers help

Password managers generate, store, and autofill cryptographically strong passwords behind a single master password or biometric. They also alert you to weak, reused, or breached passwords across your vault, and let you sync securely across devices via end-to-end encryption.

What is MFA / 2FA?

Multi-factor authentication requires a second proof of identity beyond your password — a one-time code from an authenticator app, a hardware key like YubiKey or Titan, or a passkey. Even a leaked password is useless without the second factor. App-based TOTP codes and hardware keys are the strongest options.

What are passkeys?

Passkeys replace the password with a public/private key pair tied to your device. The private key never leaves the device; the site only stores the public key. They are phishing-resistant by design and supported by Apple, Google, Microsoft, and a growing list of services through the WebAuthn / FIDO2 standard.

How long should passwords be?

16+ characters for human-typed passwords; 20–32 for manager-generated passwords. NIST SP 800-63B explicitly favours length over forced complexity rules and supports passphrases — random 4–6 word combinations can reach 70–90 bits of entropy while remaining type-able.

Strong vs weak passwords

A weak password — short, dictionary-based, reused — falls within minutes against a modern GPU. A strong password — 16+ random characters with mixed classes, unique to that account — takes centuries. The gap is not linear; each extra random character multiplies the attacker's workload.

How this checker protects privacy

Every analysis runs entirely in your browser using JavaScript. The password you type never leaves the page — there is no API call, no logging, no analytics on the input. The cryptographic random number generator used by the password generator is the browser's built-in window.crypto, the same one used for TLS keys.

How Entropy Is Calculated

Search Space

S = C^L

Where C is the alphabet size (e.g. 95 printable ASCII) and L is the password length. Every extra character multiplies the search space by C.

Entropy (bits)

H = L × log₂(C)

Raw entropy of an evenly-random password. A 12-char password from 95 symbols ≈ 78 bits. Penalties apply for dictionary words, sequences, repeats, and known-leaked passwords.

Crack Time

T = 2^H ÷ rate

Where rate is guesses per second for the attacker model (CPU ~1M, GPU farm ~100B, AI-tuned ~1T). The result is the worst-case time to exhaust the search space.

Built for everyone setting a new password — from individual users to security teams.

Methodology aligned with NIST SP 800-63B and OWASP password guidance — see our methodology and editorial policy. Educational only — pair with a password manager, MFA, and passkeys for production-grade security.

Frequently Asked Questions

A password strength checker is a tool that estimates how resistant a given password is to modern cracking attacks. It analyzes length, character variety, dictionary words, reused patterns, keyboard sequences, and known-leaked passwords to produce a strength rating, an entropy score, and an estimated crack time across several attacker models. This tool runs entirely client-side — the password you type never leaves your browser.

Strength is computed from the password's effective entropy — the base-2 logarithm of the size of the search space an attacker would have to scan. Raw entropy equals length × log₂(charset). Penalties are then applied for dictionary words, repeated patterns, keyboard runs, common substitutions, dates, and inclusion in known breach lists. The final score combines raw entropy with these structural penalties.

Three things, in order of importance: length, randomness, and uniqueness. Length defeats brute force; randomness defeats dictionary and pattern attacks (predictable substitutions like P@ssw0rd! add almost no real entropy); uniqueness defeats credential stuffing — a strong password is worthless if reused on a site that gets breached. A password manager solves all three, and pairing the password with MFA or a passkey neutralises most remaining risk.

For human-memorised passwords, aim for 16+ characters with mixed case, numbers, and symbols. For machine-generated, manager-stored passwords, 20–32 characters is the modern default. NIST SP 800-63B explicitly favours length over forced complexity rules and supports passphrases of 4–6 random words, which can reach 70–90 bits of entropy while still being type-able.

Entropy is a measure of unpredictability, expressed in bits. Each extra bit doubles the work an attacker must do. 40 bits is breakable by a determined attacker; 60 bits is solid; 80+ bits is comfortable for high-value accounts; 100+ bits is overkill. The bit count assumes the attacker knows your generation method — re-using a word collapses the effective entropy regardless of headline length.

Given enough time and resources, any password is theoretically crackable, but strong passwords push the timeline beyond practical windows. A truly random 16-character password with mixed character classes would take a high-end GPU cluster centuries to brute-force. The realistic threat to strong passwords is not brute force — it is credential reuse, phishing, malware-installed keyloggers, and server-side breaches where the password is stolen in cleartext or with weak hashing.

Yes, when they use a cryptographically secure random number generator (CSPRNG) and run locally. This tool uses the browser's built-in window.crypto.getRandomValues, the same generator browsers use for TLS keys. The generated password never touches the network. Avoid generators that send your password to a server or use Math.random, which is not cryptographically secure.

A brute force attack tries every possible combination of characters until it finds the password. Modern attackers use GPUs that can guess 10–100 billion passwords per second against fast hashes like MD5 or SHA-1, dropping to thousands per second against slow, salted hashes like bcrypt or Argon2. Brute force is the dominant threat for short passwords; for longer passwords, attackers switch to dictionary attacks, hybrid attacks, and credential stuffing using leaked password lists.

No — password reuse is the single most exploited weakness on the internet. When one site is breached, attackers automatically try the same email and password on hundreds of other services in a process called credential stuffing. A password manager lets you have a unique, random password per site with one master password or biometric to unlock the vault. Reusing even one password across high-value accounts (email, bank, cloud) creates a single point of catastrophic failure.

Two-factor authentication (2FA, also called multi-factor authentication or MFA) adds a second proof of identity beyond your password — typically a one-time code from an authenticator app, a hardware security key (YubiKey, Titan), a passkey, or in weaker form an SMS code. Even if an attacker steals your password through a breach or phishing, they cannot log in without that second factor. Passkeys are emerging as a phishing-resistant replacement for passwords entirely.

Related Calculators