Password Strength Analyzer
Analyze how strong your password is in real time. Checks length, character variety, common patterns, and estimates time to crack.
A password's strength depends on its length, character variety, and unpredictability. This analyzer evaluates all three in real time, showing a strength rating, entropy in bits, estimated crack time, and a detailed checklist of what to improve. Your password never leaves your browser - all analysis runs locally in JavaScript.
About Password Strength Analyzer
What Gets Checked
The analyzer evaluates eight criteria and shows a pass/fail indicator for each one.
| Check | Requirement | Why It Matters |
|---|---|---|
| Minimum length | 8+ characters | Short passwords are trivially brute-forced |
| Recommended length | 12+ characters | Each extra character multiplies the search space exponentially |
| Uppercase letters | At least 1 | Expands the character pool from 26 to 52 |
| Lowercase letters | At least 1 | Required for mixed-case strength |
| Numbers | At least 1 | Adds 10 characters to the pool |
| Special characters | At least 1 | Adds 30+ characters to the pool |
| Common password check | Not in known breach lists | Attackers try known passwords first |
| Pattern detection | No keyboard walks or sequences | "qwerty123" and "abcdef" are among the first things attackers test |
How Entropy Is Calculated
Entropy measures the theoretical unpredictability of a password in bits. The formula is: entropy = length x log2(pool size). The pool size depends on which character types are used.
| Character Types Used | Pool Size | 8-char Entropy | 12-char Entropy | 16-char Entropy |
|---|---|---|---|---|
| Lowercase only (a-z) | 26 | 37.6 bits | 56.4 bits | 75.2 bits |
| Lower + upper (a-z, A-Z) | 52 | 45.6 bits | 68.4 bits | 91.2 bits |
| Lower + upper + digits | 62 | 47.6 bits | 71.5 bits | 95.3 bits |
| All printable ASCII | 95 | 52.6 bits | 78.8 bits | 105.1 bits |
This calculation assumes each character is chosen randomly. If the password contains dictionary words or patterns, the effective entropy is lower because attackers use smarter strategies than pure brute force.
Estimated Crack Time
The crack time estimate assumes an offline attack at 10 billion guesses per second, which represents a well-equipped attacker using multiple GPUs against an unsalted fast hash like MD5 or SHA-1. Against properly hashed passwords (bcrypt with cost 10), the effective rate drops to roughly 10,000 guesses per second.
| Attack Scenario | Guesses per Second | Typical Context |
|---|---|---|
| Online attack (rate-limited) | 10-1,000 | Login form with lockout after failed attempts |
| Offline, fast hash (MD5) | 10 billion+ | Leaked database with weak hashing |
| Offline, bcrypt (cost 10) | ~10,000 | Properly hashed password database |
| Offline, Argon2id | ~1,000 | Modern best-practice password storage |
This is why password hashing matters as much as password strength. A 12-character password that would fall in hours against MD5 could last centuries against bcrypt. For hashing passwords, see the Bcrypt Hash Generator.
Strength Rating Scale
| Rating | Entropy Range | Typical Password | Assessment |
|---|---|---|---|
| Very Weak | 0-25 bits | "password" or "123456" | Cracked instantly by any attacker |
| Weak | 25-40 bits | "Summer2024" | Falls to dictionary attacks within minutes |
| Fair | 40-60 bits | "Tr0pic@l99" | Resists casual attacks but vulnerable to dedicated effort |
| Strong | 60-80 bits | "kX9!mPq2vL#n" | Good for most accounts with proper hashing |
| Very Strong | 80+ bits | "correct-horse-battery-staple" or 16+ random chars | Effectively uncrackable through brute force |
Passwords found in known breach databases are always rated Very Weak regardless of their apparent complexity. "P@ssw0rd!" looks complex but appears in virtually every breach list.
Common Password Mistakes
| Mistake | Example | Why It Fails |
|---|---|---|
| Dictionary word with simple substitution | p@$$w0rd | Attackers run "leet speak" variations automatically |
| Keyboard walk | qwerty, zxcvbn | Listed in every cracking dictionary |
| Name + year | Michael1990 | Attackers combine name lists with date ranges |
| Short with all character types | Ab1! | Only 4 characters - brute-forced in seconds |
| Reusing across sites | Same password everywhere | One breach compromises all your accounts |
| Sequential patterns | abcd1234 | Among the first patterns attackers try |
What Makes a Good Password
The most effective passwords are long and random. A 4-word passphrase like "correct-horse-battery-staple" (inspired by the well-known XKCD comic) has about 44 bits of entropy from a standard dictionary, but using a larger word list or adding random characters pushes it much higher. A 16-character random string from a password generator typically exceeds 100 bits of entropy.
| Strategy | Example | Approximate Entropy | Ease of Recall |
|---|---|---|---|
| Random characters (16) | kX9!mPq2vL#nR8&w | 105 bits | Very hard - use a password manager |
| Passphrase (4 words, large list) | marble-vortex-plume-dusk | ~77 bits | Moderate - memorable with practice |
| Passphrase + random modifier | marble-vortex-plume-dusk-42! | ~90 bits | Moderate |
| Sentence-based mnemonic | IbmFc@2:30pM! | ~85 bits | Good if you remember the sentence |
The best approach for most people is to use a password manager that generates and stores random passwords. You only need to remember one strong master password.
Password Requirements by Service
| Service Type | Typical Minimum | Recommended |
|---|---|---|
| Banking / Financial | 8-12 characters | 16+ characters, enable 2FA |
| Email (primary) | 8 characters | 16+ characters, unique, enable 2FA |
| Social media | 6-8 characters | 12+ characters, enable 2FA |
| WiFi (WPA2/WPA3) | 8 characters | 20+ characters (offline attacks are fast) |
| Password manager master | 12 characters | 20+ characters or strong passphrase |
Need to generate a strong password from scratch? The Password Generator creates random passwords with configurable length and character types. For encrypting sensitive text with a password, the Encryption Tool uses AES-256-GCM. All analysis runs entirely in your browser - your password is never transmitted or stored.
What Do the Latest NIST Guidelines Say?
NIST Special Publication 800-63B Revision 4 (finalised August 2025) recommends a minimum of 15 characters for single-factor accounts and 8 characters where multi-factor authentication is enforced, with systems required to support passwords up to at least 64 characters. The guidance is a clear break from the older "must contain a capital, a number, and a symbol" rules - NIST now tells verifiers NOT to impose composition requirements and NOT to require periodic password rotation unless there is evidence of compromise. The priority is length, uniqueness, and screening against known-breached passwords.
Key changes in SP 800-63B Rev. 4:
- No mandatory character composition rules (no forced mixed case, digits, or symbols)
- No scheduled password expiration - change only on suspected compromise
- No knowledge-based security questions ("first pet's name") as a recovery factor
- Password hints and security questions are explicitly deprecated
- All passwords must be screened against a list of compromised passwords before acceptance
- All printable ASCII, Unicode, and spaces must be allowed
This analyzer flags character variety as a plus because it still expands brute-force search space, but in line with NIST, length and breach-screening carry the most weight.
What Did the 2025 Breach Data Reveal?
NordPass's seventh annual most-common-passwords report, covering breach repositories between September 2024 and September 2025, found that "123456" was again the world's most used password - its sixth year in the top spot out of the last seven. "admin" topped the list in both the UK and the US. Roughly 25 percent of the 1,000 most-used passwords are made up entirely of digits, and the same simple numeric sequences appeared as the top choice in every age group, from Gen Z to boomers.
Verizon's 2025 Data Breach Investigations Report (DBIR) continues to cite stolen or weak credentials as a factor in roughly 22 percent of all breaches, with credential stuffing (attackers replaying usernames and passwords leaked from one site against many others) as one of the top three attack vectors against web applications. This is why password reuse matters more than complexity: a 20-character password used on every site only protects you until the first of those sites is breached.
| Rank | Global 2025 | UK 2025 | US 2025 |
|---|---|---|---|
| 1 | 123456 | admin | admin |
| 2 | admin | 123456 | password |
| 3 | 12345678 | password | 123456 |
| 4 | 123456789 | 12345 | 12345 |
| 5 | 12345 | qwerty | password1 |
The analyzer checks against a built-in list of the top entries and flags any match as Very Weak, regardless of apparent complexity. For a live-maintained check against hundreds of millions of breached credentials, services like Have I Been Pwned's Pwned Passwords API use k-anonymity to look up a password without ever revealing it.
How Does a Worked Entropy Example Look?
Take the password Tr0pic@l99. It has 10 characters and uses all four character classes (lower, upper, digit, special), so the pool size is 26 + 26 + 10 + 33 = 95. The raw entropy is 10 x log2(95) = 10 x 6.57 = 65.7 bits. At 10 billion guesses per second against an unsalted MD5 hash, the average time to crack is roughly 95^10 / 2 / 10^10 seconds = about 3.2 years.
That sounds strong, but dictionary-aware cracking tools like hashcat and John the Ripper recognise "Tropical" as a base word with standard leet-speak substitutions, drop the "99" as a two-digit year, and knock the effective entropy down to roughly 25-30 bits. The real-world crack time collapses from years to minutes. This is why the analyzer docks points when a recognisable pattern is detected even if the raw entropy looks high.
Contrast with marble-vortex-plume-dusk: 23 characters, 4 words from a list of about 7,776 common words (EFF's large wordlist), so entropy is 4 x log2(7,776) = 4 x 12.92 = 51.7 bits. At the same MD5 attack rate, that is roughly 113 years to crack on average. Longer passphrases of 5-6 words push well past 80 bits, into territory where brute force stops being the realistic threat model.
Why Does Two-Factor Authentication Still Matter?
Even a very strong password is only one half of the defence. Phishing, malware, and database breaches can expose the password regardless of its entropy. Two-factor authentication (2FA) adds a second independent factor - usually a time-based code from an authenticator app, a hardware security key (FIDO2/WebAuthn), or a push notification. Google reported in a 2019 study that adding an on-device prompt blocked 100 percent of automated bot attacks, 99 percent of bulk phishing attacks, and 90 percent of targeted attacks. Hardware security keys pushed those figures to 100 percent across the board.
Priority order for enabling 2FA: primary email (it is the recovery route for every other account), banking and finance, password manager master account, cloud storage, social media. Prefer TOTP apps or hardware keys over SMS - SMS 2FA can be bypassed by SIM-swap attacks, which the FBI's IC3 has flagged as a growing threat since 2022.
Common Questions About Password Strength
Does changing my password every 90 days make me safer? No. NIST SP 800-63B Rev. 4 explicitly removed scheduled expiration because forced rotation leads to predictable patterns (Summer2024 becomes Summer2025). Only change a password on suspected compromise.
Is a passphrase really as strong as a random string? It depends on the word list size and length. A 4-word passphrase from a 7,776-word list (52 bits) is weaker than a 12-character random string (78+ bits), but a 6-word passphrase (78 bits) matches or beats most typed passwords and is far easier to remember.
Are password managers safe? The consensus from the UK NCSC, US CISA, and NIST is yes - the risk of a password manager being breached is substantially lower than the risk of reusing the same password across dozens of services. Use a reputable manager with a strong unique master password and 2FA on the manager itself.
Should I change my password after a website breach? Yes, immediately, and anywhere you reused that password. Check Have I Been Pwned to see which breaches include your email.
Sources
- NIST SP 800-63B Rev. 4 - Digital Identity Guidelines, Authentication
- NordPass - Top 200 Most Common Passwords 2025
- Have I Been Pwned - Pwned Passwords API
- Verizon Data Breach Investigations Report 2025
- UK NCSC - Password Policy Guidance
- EFF - Dice-Generated Passphrases Word List
- CISA - Use Strong Passwords
Frequently Asked Questions
How is the crack time calculated?
The tool estimates how long a brute-force attack would take assuming 10 billion password guesses per second, which represents a powerful offline attack using GPUs. It calculates the total possible combinations based on the character pool size and password length, then divides by the guess rate.
Is this different from the Password Generator?
Yes. The Password Generator creates new random passwords for you. The Password Strength Analyzer checks existing passwords you already have or are considering using, and tells you how strong they are with specific improvement suggestions.
What makes a password "Very Strong"?
A Very Strong password typically has 16 or more characters, uses uppercase and lowercase letters plus numbers and special characters, avoids common words and keyboard patterns, and has high entropy (80+ bits). The longer and more random, the better.
Is my password sent anywhere during analysis?
No. All analysis runs entirely in your browser using JavaScript. Your password never leaves your device and is not stored or transmitted.
Why does my 12-character password score lower than expected?
Length alone is not enough. If your password uses only lowercase letters or follows a common pattern like "password1234", it will score lower. The analyzer checks for character variety, common passwords, keyboard patterns, and sequential characters alongside length.
Related Tools
Link to this tool
Copy this HTML to link to this tool from your website or blog.
<a href="https://toolboxkit.io/tools/password-strength-analyzer/" title="Password Strength Analyzer - Free Online Tool">Try Password Strength Analyzer on ToolboxKit.io</a>