Password Strength Analyzer

Analyze how strong your password is in real time. Checks length, character variety, common patterns, and estimates time to crack.

A password's strength depends on its length, character variety, and unpredictability. This analyzer evaluates all three in real time, showing a strength rating, entropy in bits, estimated crack time, and a detailed checklist of what to improve. Your password never leaves your browser - all analysis runs locally in JavaScript.

Ad
Ad

About Password Strength Analyzer

What Gets Checked

The analyzer evaluates eight criteria and shows a pass/fail indicator for each one.

CheckRequirementWhy It Matters
Minimum length8+ charactersShort passwords are trivially brute-forced
Recommended length12+ charactersEach extra character multiplies the search space exponentially
Uppercase lettersAt least 1Expands the character pool from 26 to 52
Lowercase lettersAt least 1Required for mixed-case strength
NumbersAt least 1Adds 10 characters to the pool
Special charactersAt least 1Adds 30+ characters to the pool
Common password checkNot in known breach listsAttackers try known passwords first
Pattern detectionNo keyboard walks or sequences"qwerty123" and "abcdef" are among the first things attackers test

How Entropy Is Calculated

Entropy measures the theoretical unpredictability of a password in bits. The formula is: entropy = length x log2(pool size). The pool size depends on which character types are used.

Character Types UsedPool Size8-char Entropy12-char Entropy16-char Entropy
Lowercase only (a-z)2637.6 bits56.4 bits75.2 bits
Lower + upper (a-z, A-Z)5245.6 bits68.4 bits91.2 bits
Lower + upper + digits6247.6 bits71.5 bits95.3 bits
All printable ASCII9552.6 bits78.8 bits105.1 bits

This calculation assumes each character is chosen randomly. If the password contains dictionary words or patterns, the effective entropy is lower because attackers use smarter strategies than pure brute force.

Estimated Crack Time

The crack time estimate assumes an offline attack at 10 billion guesses per second, which represents a well-equipped attacker using multiple GPUs against an unsalted fast hash like MD5 or SHA-1. Against properly hashed passwords (bcrypt with cost 10), the effective rate drops to roughly 10,000 guesses per second.

Attack ScenarioGuesses per SecondTypical Context
Online attack (rate-limited)10-1,000Login form with lockout after failed attempts
Offline, fast hash (MD5)10 billion+Leaked database with weak hashing
Offline, bcrypt (cost 10)~10,000Properly hashed password database
Offline, Argon2id~1,000Modern best-practice password storage

This is why password hashing matters as much as password strength. A 12-character password that would fall in hours against MD5 could last centuries against bcrypt. For hashing passwords, see the Bcrypt Hash Generator.

Strength Rating Scale

RatingEntropy RangeTypical PasswordAssessment
Very Weak0-25 bits"password" or "123456"Cracked instantly by any attacker
Weak25-40 bits"Summer2024"Falls to dictionary attacks within minutes
Fair40-60 bits"Tr0pic@l99"Resists casual attacks but vulnerable to dedicated effort
Strong60-80 bits"kX9!mPq2vL#n"Good for most accounts with proper hashing
Very Strong80+ bits"correct-horse-battery-staple" or 16+ random charsEffectively uncrackable through brute force

Passwords found in known breach databases are always rated Very Weak regardless of their apparent complexity. "P@ssw0rd!" looks complex but appears in virtually every breach list.

Common Password Mistakes

MistakeExampleWhy It Fails
Dictionary word with simple substitutionp@$$w0rdAttackers run "leet speak" variations automatically
Keyboard walkqwerty, zxcvbnListed in every cracking dictionary
Name + yearMichael1990Attackers combine name lists with date ranges
Short with all character typesAb1!Only 4 characters - brute-forced in seconds
Reusing across sitesSame password everywhereOne breach compromises all your accounts
Sequential patternsabcd1234Among the first patterns attackers try

What Makes a Good Password

The most effective passwords are long and random. A 4-word passphrase like "correct-horse-battery-staple" (inspired by the well-known XKCD comic) has about 44 bits of entropy from a standard dictionary, but using a larger word list or adding random characters pushes it much higher. A 16-character random string from a password generator typically exceeds 100 bits of entropy.

StrategyExampleApproximate EntropyEase of Recall
Random characters (16)kX9!mPq2vL#nR8&w105 bitsVery hard - use a password manager
Passphrase (4 words, large list)marble-vortex-plume-dusk~77 bitsModerate - memorable with practice
Passphrase + random modifiermarble-vortex-plume-dusk-42!~90 bitsModerate
Sentence-based mnemonicIbmFc@2:30pM!~85 bitsGood if you remember the sentence

The best approach for most people is to use a password manager that generates and stores random passwords. You only need to remember one strong master password.

Password Requirements by Service

Service TypeTypical MinimumRecommended
Banking / Financial8-12 characters16+ characters, enable 2FA
Email (primary)8 characters16+ characters, unique, enable 2FA
Social media6-8 characters12+ characters, enable 2FA
WiFi (WPA2/WPA3)8 characters20+ characters (offline attacks are fast)
Password manager master12 characters20+ characters or strong passphrase

Need to generate a strong password from scratch? The Password Generator creates random passwords with configurable length and character types. For encrypting sensitive text with a password, the Encryption Tool uses AES-256-GCM. All analysis runs entirely in your browser - your password is never transmitted or stored.

What Do the Latest NIST Guidelines Say?

NIST Special Publication 800-63B Revision 4 (finalised August 2025) recommends a minimum of 15 characters for single-factor accounts and 8 characters where multi-factor authentication is enforced, with systems required to support passwords up to at least 64 characters. The guidance is a clear break from the older "must contain a capital, a number, and a symbol" rules - NIST now tells verifiers NOT to impose composition requirements and NOT to require periodic password rotation unless there is evidence of compromise. The priority is length, uniqueness, and screening against known-breached passwords.

Key changes in SP 800-63B Rev. 4:

  • No mandatory character composition rules (no forced mixed case, digits, or symbols)
  • No scheduled password expiration - change only on suspected compromise
  • No knowledge-based security questions ("first pet's name") as a recovery factor
  • Password hints and security questions are explicitly deprecated
  • All passwords must be screened against a list of compromised passwords before acceptance
  • All printable ASCII, Unicode, and spaces must be allowed

This analyzer flags character variety as a plus because it still expands brute-force search space, but in line with NIST, length and breach-screening carry the most weight.

What Did the 2025 Breach Data Reveal?

NordPass's seventh annual most-common-passwords report, covering breach repositories between September 2024 and September 2025, found that "123456" was again the world's most used password - its sixth year in the top spot out of the last seven. "admin" topped the list in both the UK and the US. Roughly 25 percent of the 1,000 most-used passwords are made up entirely of digits, and the same simple numeric sequences appeared as the top choice in every age group, from Gen Z to boomers.

Verizon's 2025 Data Breach Investigations Report (DBIR) continues to cite stolen or weak credentials as a factor in roughly 22 percent of all breaches, with credential stuffing (attackers replaying usernames and passwords leaked from one site against many others) as one of the top three attack vectors against web applications. This is why password reuse matters more than complexity: a 20-character password used on every site only protects you until the first of those sites is breached.

RankGlobal 2025UK 2025US 2025
1123456adminadmin
2admin123456password
312345678password123456
41234567891234512345
512345qwertypassword1

The analyzer checks against a built-in list of the top entries and flags any match as Very Weak, regardless of apparent complexity. For a live-maintained check against hundreds of millions of breached credentials, services like Have I Been Pwned's Pwned Passwords API use k-anonymity to look up a password without ever revealing it.

How Does a Worked Entropy Example Look?

Take the password Tr0pic@l99. It has 10 characters and uses all four character classes (lower, upper, digit, special), so the pool size is 26 + 26 + 10 + 33 = 95. The raw entropy is 10 x log2(95) = 10 x 6.57 = 65.7 bits. At 10 billion guesses per second against an unsalted MD5 hash, the average time to crack is roughly 95^10 / 2 / 10^10 seconds = about 3.2 years.

That sounds strong, but dictionary-aware cracking tools like hashcat and John the Ripper recognise "Tropical" as a base word with standard leet-speak substitutions, drop the "99" as a two-digit year, and knock the effective entropy down to roughly 25-30 bits. The real-world crack time collapses from years to minutes. This is why the analyzer docks points when a recognisable pattern is detected even if the raw entropy looks high.

Contrast with marble-vortex-plume-dusk: 23 characters, 4 words from a list of about 7,776 common words (EFF's large wordlist), so entropy is 4 x log2(7,776) = 4 x 12.92 = 51.7 bits. At the same MD5 attack rate, that is roughly 113 years to crack on average. Longer passphrases of 5-6 words push well past 80 bits, into territory where brute force stops being the realistic threat model.

Why Does Two-Factor Authentication Still Matter?

Even a very strong password is only one half of the defence. Phishing, malware, and database breaches can expose the password regardless of its entropy. Two-factor authentication (2FA) adds a second independent factor - usually a time-based code from an authenticator app, a hardware security key (FIDO2/WebAuthn), or a push notification. Google reported in a 2019 study that adding an on-device prompt blocked 100 percent of automated bot attacks, 99 percent of bulk phishing attacks, and 90 percent of targeted attacks. Hardware security keys pushed those figures to 100 percent across the board.

Priority order for enabling 2FA: primary email (it is the recovery route for every other account), banking and finance, password manager master account, cloud storage, social media. Prefer TOTP apps or hardware keys over SMS - SMS 2FA can be bypassed by SIM-swap attacks, which the FBI's IC3 has flagged as a growing threat since 2022.

Common Questions About Password Strength

Does changing my password every 90 days make me safer? No. NIST SP 800-63B Rev. 4 explicitly removed scheduled expiration because forced rotation leads to predictable patterns (Summer2024 becomes Summer2025). Only change a password on suspected compromise.

Is a passphrase really as strong as a random string? It depends on the word list size and length. A 4-word passphrase from a 7,776-word list (52 bits) is weaker than a 12-character random string (78+ bits), but a 6-word passphrase (78 bits) matches or beats most typed passwords and is far easier to remember.

Are password managers safe? The consensus from the UK NCSC, US CISA, and NIST is yes - the risk of a password manager being breached is substantially lower than the risk of reusing the same password across dozens of services. Use a reputable manager with a strong unique master password and 2FA on the manager itself.

Should I change my password after a website breach? Yes, immediately, and anywhere you reused that password. Check Have I Been Pwned to see which breaches include your email.

Sources

Frequently Asked Questions

How is the crack time calculated?

The tool estimates how long a brute-force attack would take assuming 10 billion password guesses per second, which represents a powerful offline attack using GPUs. It calculates the total possible combinations based on the character pool size and password length, then divides by the guess rate.

Is this different from the Password Generator?

Yes. The Password Generator creates new random passwords for you. The Password Strength Analyzer checks existing passwords you already have or are considering using, and tells you how strong they are with specific improvement suggestions.

What makes a password "Very Strong"?

A Very Strong password typically has 16 or more characters, uses uppercase and lowercase letters plus numbers and special characters, avoids common words and keyboard patterns, and has high entropy (80+ bits). The longer and more random, the better.

Is my password sent anywhere during analysis?

No. All analysis runs entirely in your browser using JavaScript. Your password never leaves your device and is not stored or transmitted.

Why does my 12-character password score lower than expected?

Length alone is not enough. If your password uses only lowercase letters or follows a common pattern like "password1234", it will score lower. The analyzer checks for character variety, common passwords, keyboard patterns, and sequential characters alongside length.

Link to this tool

Copy this HTML to link to this tool from your website or blog.

<a href="https://toolboxkit.io/tools/password-strength-analyzer/" title="Password Strength Analyzer - Free Online Tool">Try Password Strength Analyzer on ToolboxKit.io</a>