Password Strength Analyzer
Estimate how long it would take an attacker to crack your password.
Type a password and get a realistic strength estimate based on what real cracking software does — dictionary lookups, common substitutions, popular passwords, keyboard patterns. Not the naive "has letters and a number" check that gives terrible passwords a green tick.
Common use cases: testing a candidate password before saving it, building intuition for what actually makes a password strong, evaluating organisational password policies, and double-checking that a memorable phrase is also safe.
Frequently asked questions
How is strength actually measured?
By entropy — the number of guesses an attacker would need on average. A truly random 8-character ASCII password has about 52 bits of entropy; a 16-character one has 105 bits. Real human-chosen passwords land much lower because of common patterns (capital first letter, digit at end, "1234").
Why does "P@ssw0rd!" get rated weak despite having all character classes?
Because attackers know that pattern. Decades of leaked password databases let modern crackers prioritise common substitutions (
a→@, o→0, s→$) and common base words. Throwing those characters at a dictionary word adds maybe one bit of practical entropy, not 24.Is a long passphrase really stronger than a random short password?
Yes — four random words from a 7000-word list has about 51 bits of entropy, comparable to an 8-character random ASCII password but much easier to type. The catch is that the words must be truly random (a dice roll, not "the first four words I thought of").
Is the password sent anywhere?
No. All analysis runs in your browser. Nothing is transmitted, logged or stored — close the tab and it's gone.