Test how strong your password is. See estimated crack time, entropy, and get actionable suggestions. Nothing leaves your browser.
Use ⌘ + D to bookmark this toolPassword strength is primarily measured in bits of entropy — a mathematical measure of randomness. Higher entropy means more possible combinations an attacker must try. A truly random password's entropy is calculated as: entropy = length × log₂(pool_size)
However, real-world password strength depends on more than just character count. Our checker also analyzes patterns (keyboard walks, repeated characters), common substitutions (@ for a, 3 for e), dictionary words, and known breached passwords to give a more realistic strength estimate.
| Entropy | Combinations | GPU Crack Time | Rating | Example |
|---|---|---|---|---|
| 20 bits | 1 million | < 1 second | Instant | 4-digit PIN |
| 35 bits | 34 billion | 3.4 seconds | Weak | 6-char lowercase |
| 50 bits | 1.1 quadrillion | 1.3 days | Fair | 8-char mixed case |
| 65 bits | 3.7 × 10¹⁹ | 117 years | Strong | 10-char alphanumeric |
| 80 bits | 1.2 × 10²⁴ | 3.8M years | Excellent | 14-char all types |
| 128 bits | 3.4 × 10³⁸ | 10²⁰ years | Overkill | 20-char random |
GPU crack times assume 10 billion guesses/sec (hashcat with MD5/SHA-1). Bcrypt/Argon2 hashing makes these 10,000x–100,000x slower.
Using real words — even obscure ones — drastically reduces entropy. Attackers use dictionaries with millions of words, names, and phrases. "sunshine", "monkey", and "shadow" are in every cracking wordlist.
Replacing 'a' with '@', 'e' with '3', 'o' with '0' feels clever but adds almost zero security. Cracking tools apply these substitution rules automatically. "P@ssw0rd" is no stronger than "Password".
"qwerty", "asdfgh", "zxcvbn", "1qaz2wsx" — these patterns are in every attacker's ruleset. Even diagonal patterns like "qazwsx" are well-known and tested early in any attack.
Names, birthdays, pet names, sports teams, and cities are the first things targeted attackers try. Social media makes this information trivially available. Never use anything personally identifiable.
| Character Set | Pool Size | Bits/Char | 8-Char Entropy | 12-Char Entropy |
|---|---|---|---|---|
| Digits only | 10 | 3.3 | 26.6 bits | 39.9 bits |
| Lowercase | 26 | 4.7 | 37.6 bits | 56.4 bits |
| Mixed case | 52 | 5.7 | 45.6 bits | 68.4 bits |
| Alphanumeric | 62 | 5.95 | 47.6 bits | 71.5 bits |
| All printable ASCII | 95 | 6.57 | 52.6 bits | 78.8 bits |
These are theoretical maximums for truly random passwords. Real passwords with patterns, words, or repetition have significantly less effective entropy.
Rate-limited web login attempts. Most sites lock accounts after a few failures. Even a weak password might survive, but you shouldn't rely on this.
Attacker has stolen hashed passwords and is cracking them on a standard computer. Bcrypt and Argon2 hashing slows this dramatically.
Modern GPUs can compute billions of hashes per second for weak algorithms like MD5 or SHA-1. This is the standard we test against.
Nation-state level resources. Even at this speed, a 20-character random password from the full ASCII set would take billions of years.
Generate strong, random passwords with customizable length, character sets, and options.
Generate strong, memorable passphrases from random words. Easier to remember, just as secure.
Generate multiple unique passwords at once. Perfect for IT admins and account provisioning.
Generate cryptographically secure API keys, tokens, and secrets in multiple formats.
Generate strong, easy-to-share WiFi passwords for your home or office network.
Create a scannable QR code for your WiFi network. Guests connect instantly.
Generate cryptographically random PIN codes. Perfect for device locks and access codes.
Generate MD5 hashes from any text. Useful for checksums, cache keys, and legacy system compatibility.
Generate SHA-512 hashes using the native Web Crypto API. 512-bit security for signatures and integrity.
No. All analysis happens in your browser using JavaScript. Nothing is transmitted over the network. You can verify by checking your browser's developer tools network tab while using this tool.
80+ is excellent for most purposes. For critical accounts (banking, email, password manager master password), aim for 90+. Below 40 means your password is vulnerable.
Common patterns like "P@ssw0rd!" use predictable substitutions that attackers check first. Real strength comes from randomness and length, not clever tricks.
Length alone isn't enough. "aaaaaaaaaaaaaaaa" is 16 characters but trivially crackable. Repeated characters, dictionary words, and common phrases reduce effective entropy significantly.
We estimate time based on 10 billion guesses per second (modern GPU cluster with MD5/SHA-1). Real crack times depend on the hashing algorithm used — bcrypt and Argon2 are 10,000x slower to crack.
Only if they run entirely in your browser. Our tool never transmits your password — all analysis is client-side JavaScript. Avoid any checker that requires you to submit your password to a server.