Password Strength Analyzer
Analyze how strong your password is in real time. Checks length, character variety, common patterns, and estimates time to crack.
About Password Strength Analyzer
A password's strength depends on its length, character variety, and unpredictability. This analyzer evaluates all three in real time, showing a strength rating, entropy in bits, estimated crack time, and a detailed checklist of what to improve. Your password never leaves your browser - all analysis runs locally in JavaScript.
What Gets Checked
The analyzer evaluates eight criteria and shows a pass/fail indicator for each one.
| Check | Requirement | Why It Matters |
|---|---|---|
| Minimum length | 8+ characters | Short passwords are trivially brute-forced |
| Recommended length | 12+ characters | Each extra character multiplies the search space exponentially |
| Uppercase letters | At least 1 | Expands the character pool from 26 to 52 |
| Lowercase letters | At least 1 | Required for mixed-case strength |
| Numbers | At least 1 | Adds 10 characters to the pool |
| Special characters | At least 1 | Adds 30+ characters to the pool |
| Common password check | Not in known breach lists | Attackers try known passwords first |
| Pattern detection | No keyboard walks or sequences | "qwerty123" and "abcdef" are among the first things attackers test |
How Entropy Is Calculated
Entropy measures the theoretical unpredictability of a password in bits. The formula is: entropy = length x log2(pool size). The pool size depends on which character types are used.
| Character Types Used | Pool Size | 8-char Entropy | 12-char Entropy | 16-char Entropy |
|---|---|---|---|---|
| Lowercase only (a-z) | 26 | 37.6 bits | 56.4 bits | 75.2 bits |
| Lower + upper (a-z, A-Z) | 52 | 45.6 bits | 68.4 bits | 91.2 bits |
| Lower + upper + digits | 62 | 47.6 bits | 71.5 bits | 95.3 bits |
| All printable ASCII | 95 | 52.6 bits | 78.8 bits | 105.1 bits |
This calculation assumes each character is chosen randomly. If the password contains dictionary words or patterns, the effective entropy is lower because attackers use smarter strategies than pure brute force.
Estimated Crack Time
The crack time estimate assumes an offline attack at 10 billion guesses per second, which represents a well-equipped attacker using multiple GPUs against an unsalted fast hash like MD5 or SHA-1. Against properly hashed passwords (bcrypt with cost 10), the effective rate drops to roughly 10,000 guesses per second.
| Attack Scenario | Guesses per Second | Typical Context |
|---|---|---|
| Online attack (rate-limited) | 10-1,000 | Login form with lockout after failed attempts |
| Offline, fast hash (MD5) | 10 billion+ | Leaked database with weak hashing |
| Offline, bcrypt (cost 10) | ~10,000 | Properly hashed password database |
| Offline, Argon2id | ~1,000 | Modern best-practice password storage |
This is why password hashing matters as much as password strength. A 12-character password that would fall in hours against MD5 could last centuries against bcrypt. For hashing passwords, see the Bcrypt Hash Generator.
Strength Rating Scale
| Rating | Entropy Range | Typical Password | Assessment |
|---|---|---|---|
| Very Weak | 0-25 bits | "password" or "123456" | Cracked instantly by any attacker |
| Weak | 25-40 bits | "Summer2024" | Falls to dictionary attacks within minutes |
| Fair | 40-60 bits | "Tr0pic@l99" | Resists casual attacks but vulnerable to dedicated effort |
| Strong | 60-80 bits | "kX9!mPq2vL#n" | Good for most accounts with proper hashing |
| Very Strong | 80+ bits | "correct-horse-battery-staple" or 16+ random chars | Effectively uncrackable through brute force |
Passwords found in known breach databases are always rated Very Weak regardless of their apparent complexity. "P@ssw0rd!" looks complex but appears in virtually every breach list.
Common Password Mistakes
| Mistake | Example | Why It Fails |
|---|---|---|
| Dictionary word with simple substitution | p@$$w0rd | Attackers run "leet speak" variations automatically |
| Keyboard walk | qwerty, zxcvbn | Listed in every cracking dictionary |
| Name + year | Michael1990 | Attackers combine name lists with date ranges |
| Short with all character types | Ab1! | Only 4 characters - brute-forced in seconds |
| Reusing across sites | Same password everywhere | One breach compromises all your accounts |
| Sequential patterns | abcd1234 | Among the first patterns attackers try |
What Makes a Good Password
The most effective passwords are long and random. A 4-word passphrase like "correct-horse-battery-staple" (inspired by the well-known XKCD comic) has about 44 bits of entropy from a standard dictionary, but using a larger word list or adding random characters pushes it much higher. A 16-character random string from a password generator typically exceeds 100 bits of entropy.
| Strategy | Example | Approximate Entropy | Ease of Recall |
|---|---|---|---|
| Random characters (16) | kX9!mPq2vL#nR8&w | 105 bits | Very hard - use a password manager |
| Passphrase (4 words, large list) | marble-vortex-plume-dusk | ~77 bits | Moderate - memorable with practice |
| Passphrase + random modifier | marble-vortex-plume-dusk-42! | ~90 bits | Moderate |
| Sentence-based mnemonic | IbmFc@2:30pM! | ~85 bits | Good if you remember the sentence |
The best approach for most people is to use a password manager that generates and stores random passwords. You only need to remember one strong master password.
Password Requirements by Service
| Service Type | Typical Minimum | Recommended |
|---|---|---|
| Banking / Financial | 8-12 characters | 16+ characters, enable 2FA |
| Email (primary) | 8 characters | 16+ characters, unique, enable 2FA |
| Social media | 6-8 characters | 12+ characters, enable 2FA |
| WiFi (WPA2/WPA3) | 8 characters | 20+ characters (offline attacks are fast) |
| Password manager master | 12 characters | 20+ characters or strong passphrase |
Need to generate a strong password from scratch? The Password Generator creates random passwords with configurable length and character types. For encrypting sensitive text with a password, the Encryption Tool uses AES-256-GCM. All analysis runs entirely in your browser - your password is never transmitted or stored.
Frequently Asked Questions
How is the crack time calculated?
The tool estimates how long a brute-force attack would take assuming 10 billion password guesses per second, which represents a powerful offline attack using GPUs. It calculates the total possible combinations based on the character pool size and password length, then divides by the guess rate.
Is this different from the Password Generator?
Yes. The Password Generator creates new random passwords for you. The Password Strength Analyzer checks existing passwords you already have or are considering using, and tells you how strong they are with specific improvement suggestions.
What makes a password "Very Strong"?
A Very Strong password typically has 16 or more characters, uses uppercase and lowercase letters plus numbers and special characters, avoids common words and keyboard patterns, and has high entropy (80+ bits). The longer and more random, the better.
Is my password sent anywhere during analysis?
No. All analysis runs entirely in your browser using JavaScript. Your password never leaves your device and is not stored or transmitted.
Why does my 12-character password score lower than expected?
Length alone is not enough. If your password uses only lowercase letters or follows a common pattern like "password1234", it will score lower. The analyzer checks for character variety, common passwords, keyboard patterns, and sequential characters alongside length.
Related Tools
Link to this tool
Copy this HTML to link to this tool from your website or blog.
<a href="https://toolboxkit.io/tools/password-strength-analyzer/" title="Password Strength Analyzer - Free Online Tool">Try Password Strength Analyzer on ToolboxKit.io</a>