Skip to main content

Password Strength Checker

Analyze password entropy, estimated crack time, and vulnerability patterns.

How Password Strength Is Measured

Traditional password meters check for uppercase, lowercase, digits, and symbols. This approach is fundamentally flawed because 'P@ssw0rd!' passes every rule yet appears in most breached-password lists. Real attackers use dictionaries, pattern databases, and l33t substitution tables, not character-class rules.

zxcvbn, the library powering this tool, was developed by Dropbox's security team and takes a different approach. It decomposes a password into the patterns an attacker would actually exploit: dictionary words, keyboard walks (like 'qwerty'), dates, repeated sequences, and common substitutions. It then estimates the number of guesses required and translates that into a crack time based on realistic attack speeds.

Entropy, displayed in bits, represents the theoretical randomness of your password. Higher entropy means more possible combinations an attacker must try. A truly random 20-character password from a password manager typically has 120+ bits of entropy, while the average user-chosen password has 20-40 bits. The gap between those two numbers explains why password managers are consistently recommended by security professionals.

Frequently Asked Questions

How does this password checker work?

This tool uses zxcvbn, an open-source password strength estimator developed by Dropbox. Instead of relying on simplistic rules like minimum length or requiring special characters, zxcvbn analyzes your password against common patterns including dictionary words, keyboard sequences, repeated characters, l33t substitutions, and known breached passwords. It estimates how long a real-world attacker would need to crack it.

Is my password sent to a server?

No. All analysis runs entirely in your browser using JavaScript. Your password never leaves your device, is never transmitted over the network, and is never stored in cookies, local storage, or URL parameters. You can verify this by disconnecting from the internet and using the tool offline.

What is a good password strength score?

Score 4 (very strong) means an estimated 10+ years to crack even with dedicated hardware. Score 3 (strong) means months to years. Anything below score 3 should be improved. Keep in mind that zxcvbn evaluates real-world attack patterns, so a score of 4 from zxcvbn is a much more reliable indicator than passing arbitrary complexity rules.

Why is 'Tr0ub4dor&3' not a strong password?

Common letter-to-number substitutions (a to @, o to 0, e to 3) are well-known to password crackers and are among the first patterns they try. The xkcd comic #936 illustrated this perfectly: despite looking complex, 'Tr0ub4dor&3' has roughly 28 bits of entropy, while a passphrase like 'correct horse battery staple' has about 44 bits and is easier to remember.

What makes a password strong?

Length matters most. A 16+ character password using random words (a passphrase) is both strong and memorable. Avoid dictionary words on their own, personal information (names, birthdays, pet names), keyboard patterns (qwerty, 12345), and common substitutions. A truly random password from a password manager is the gold standard, but a 4-5 word passphrase is a practical alternative.