Password Strength Checker
See how strong your password really is. Entropy, character composition, common-password penalties, breach-database lookup (anonymized), and an estimated time-to-crack — all computed inside your browser.
Recent Password Checks
Strength & result only — your passwords were never stored.
How the Score Works
This tool computes a composite score from four signals: character pool size, length, common-password penalty, and pattern detection (sequential, repeated, keyboard walks). Together they produce an entropy estimate in bits.
scoring bands:
< 28 bits → very weak (cracked in minutes)
28–35 → weak (cracked in hours)
36–59 → moderate (days–months)
60–127 → strong (years–centuries)
≥ 128 → excellent (effectively uncrackable)
Why a "complex" password can still be weak
This checker scores entropy — how unpredictable a password is — not whether it ticks the familiar "one capital, one number, one symbol" boxes. That gap matters, because those rules reward passwords that look complex to a person but are easy for software. P@ssw0rd1 passes every complexity rule and is one of the first guesses any cracking tool makes. Length and unpredictability beat decoration: a longer, more random password scores far higher than a short one dressed up with symbols.
Why the breach result matters even more
A password can look long and unique and still be a poor choice — because if it has already appeared in a data breach, it's effectively public, and attackers try leaked passwords first. So this tool checks two different things: how strong the password is in theory, and whether it has already been exposed in practice. If a strong-looking password shows up in breaches, replace it anyway.
I watched a lot of people, across my years in IT support, defend a password they were quietly proud of. It was always some variation of a word with a capital, a symbol and a number on the end, and they were sure it was strong. The strength bar rarely changed their mind on its own. What ended the discussion every time was the breach count: paste it in, and up comes "seen 47,000 times in breaches." There's no arguing with that number. It taught me that "complex" and "strong" are not the same word — and that the most useful thing a checker can show isn't the score, it's whether the password is already out there.
— Hill, 20 years in IT supportBoth checks run privately: the strength score is computed in your browser, and the breach lookup uses k-anonymity, so your password itself is never sent anywhere.
Frequently Asked Questions
Does this tool send my password anywhere?
No. Entropy scoring and crack-time estimation run entirely in your browser. The breach check uses k-anonymity — only the first 5 characters of the SHA-1 hash leave your device, never the password itself.
What is k-anonymity?
We hash your password locally with SHA-1, then send only the first 5 hex characters to the Have I Been Pwned public API. The API returns hundreds of partial matches; we filter them in your browser. Your actual password never leaves your device.
What makes a strong password?
Length matters more than complexity. A 16-character random passphrase beats an 8-character symbol soup. Aim for 60+ bits of entropy — roughly 12+ random characters or 4+ random words.
Why does my "complex" password score as weak?
Because the score measures unpredictability (entropy), not whether it follows complexity rules. Patterns like a word plus "1!" are predictable and tried early by cracking tools. A longer, more random password — even without symbols — scores much higher.