Password Strength Checker
Analyze password strength in real-time. Shows estimated crack time and improvement suggestions.
Last updated:
How to Use
Expand how to useCollapse how to use
- 1
Enter your password
Type the password you want to check in the input field.
- 2
Check the strength
The score, estimated crack time, and character breakdown are displayed in real-time.
- 3
Review suggestions
Use the warnings and suggestions to create a stronger password.
All processing happens in your browser. Passwords are never sent to a server.
Password Input
Analysis Result
Enter a password to analyze its strength
About Password Strength Checker
Password Strength Checker evaluates how secure your password is using the zxcvbn algorithm developed by Dropbox, which goes beyond simple rule checks to analyze real-world attack patterns. It detects common passwords, dictionary words, keyboard patterns (qwerty, 123456), l33t speak substitutions, and repeated characters. Results include estimated crack times for four realistic attack scenarios: online throttled (rate-limited login), online unthrottled, offline with a fast hash (MD5/SHA-1), and offline with a slow hash (bcrypt/scrypt). Specific improvement suggestions tell you exactly how to make your password stronger.
Key Features
- Intuitive 5-level strength score (0-4)
- Estimated crack time for 4 attack scenarios
- Specific warnings and improvement suggestions
- Character breakdown (uppercase, lowercase, numbers, symbols)
- Complete privacy protection with browser-only processing
Use Cases
- Test whether your current passwords are strong enough
- Check passwords before saving them to a password manager
- Educate users about password security best practices
- Evaluate password policies for your organization
- Verify that generated passwords meet strength requirements
FAQ
Is my password stored anywhere?
No. The zxcvbn library runs entirely as JavaScript in your browser. Passwords are never sent to any server, and are cleared from memory when you leave the page.
How is the 0-4 score determined?
The zxcvbn algorithm evaluates passwords from multiple perspectives including dictionary attacks, keyboard patterns, repetitions, and date patterns. It provides more accurate assessment than simple character type checks.
How is the estimated crack time calculated?
It divides the number of guesses by the attempt speed of 4 attack scenarios (2 online attacks, 2 offline attacks). Actual crack time varies depending on the attacker's environment.
Is a score of 4 absolutely safe?
A score of 4 indicates a very strong password, but does not guarantee absolute safety. We recommend avoiding password reuse and enabling two-factor authentication (2FA) on all accounts that support it.
Why does my complex password score low?
The zxcvbn algorithm detects common substitution patterns (like @ for a, or 3 for e) and keyboard walks (like qwerty). A password may look complex visually but still be predictable to an attacker. Try using a longer random passphrase or a password generated by a password manager instead.
Editorial Review & References
- Reviewed by
- Toolsbase Editorial Team
- Last reviewed
References
- NIST SP 800-63B — Digital Identity Guidelines: Authentication and Lifecycle ManagementOpens in a new tab
- OWASP Authentication Cheat SheetOpens in a new tab
- OWASP Password Storage Cheat SheetOpens in a new tab
- zxcvbn: Low-Budget Password Strength Estimation (Dropbox Engineering)Opens in a new tab
- CISA — Password Security Best PracticesOpens in a new tab
Disclaimer
Strength evaluation in this tool is based on the zxcvbn library, which uses pattern and dictionary analysis. The predicted crack time varies significantly with attack method, hardware, and parallelism. For important accounts (financial, medical, government services), we strongly recommend combining this tool with a password manager, multi-factor authentication (MFA), and passphrase-style credentials. To check whether a password has been exposed in a known breach, use services such as Have I Been Pwned.