What is Password Strength Checker?

A password strength checker analyzes your password in real time to evaluate its resistance to cracking attempts. It checks for common patterns, dictionary words, and entropy to give you an accurate strength score. Use it to ensure your passwords meet modern security standards.

The analyzer uses zxcvbn, the same library Dropbox open-sourced, which knows 30,000 common passwords, leaked-password databases, English and surname dictionaries, and predictable patterns like dates, keyboard walks, and l33t substitutions. The score is 0-4, with crack-time estimates across four attacker scenarios from online throttled to offline GPU farms.

How to use

1. Type or paste your password into the input field to begin the analysis
2. Review the strength score, estimated crack time, and specific feedback about weaknesses
3. Improve your password based on the suggestions until you reach a strong or very strong rating

When to use

• Sanity-checking a memorable password before committing to it as your password-manager master.
• Stress-testing the password policy at work: does 'CompanyName2024!' really pass your bar?
• Showing a less-technical family member why their pet-name password is weak.

Result

Enter 'Tr0ub4dor&3' to see it scores as moderate — while it uses mixed characters, it follows a predictable substitution pattern. Compare with a random passphrase like 'correct-horse-battery-staple' which scores higher despite using only lowercase letters and hyphens.

FAQ

What does each strength score 0 through 4 actually mean?

0 is too guessable, cracked in under a second by any online attack. 1 takes hours online or seconds offline. 2 holds against online but falls offline. 3 is reasonable. 4 takes a century even against a GPU farm trying 10 billion guesses per second.

Why does 'Tr0ub4dor&3' score worse than 'correct horse battery staple'?

The first password follows a known pattern: dictionary word + predictable substitutions (0 for o, 4 for a) + special character + digit. Attackers' rule lists test these combinations early. Four random common words give more entropy because there are far more 4-word combinations than substitution variants.

Is my password sent anywhere when I type it here?

The strength scoring runs entirely on your device, in this page's JavaScript, and fires no network request while you type. The one optional exception is the breach check: if you press it, only the first 5 characters of your password's SHA-1 hash are sent (k-anonymity), so the password itself never leaves the input field. Nothing is logged when you close the tab.

The warning says my password is in a data breach. Is that accurate?

Two layers answer that. The instant warning comes from zxcvbn's built-in list of the 30,000 most-used passwords from leaks like RockYou, matched offline. For a live answer, press Check for breaches — it queries the HaveIBeenPwned database using k-anonymity (only the first 5 hash characters are sent) and tells you exactly how many times the password has appeared in real breaches.

Which crack-time scenario should I optimize for?

For most accounts the 'offline slow hashing' figure is the relevant one because that's what happens when a database leaks and attackers run hashcat. Aim for at least 'centuries' there, which usually means score 3-4 with 12+ characters.

Related Tools