How is password strength measured?

This tool calculates Shannon entropy (log₂(charset_size ^ length)), penalises predictable patterns like repeated characters, common words, keyboard walks (qwerty, 123456), and sequences. The result is a composite score from Weak to Very Strong.

Is my password sent to any server?

No. All analysis happens in your browser in JavaScript. Nothing is transmitted anywhere.

Entropy measures unpredictability in bits. A password with 60 bits of entropy would take 2⁶⁰ guesses to exhaust in a brute-force attack. Modern GPU-based crackers can test billions of hashes per second, so 60+ bits is a reasonable minimum for sensitive accounts.

How many bits of entropy do I need?

For most accounts: 60+ bits. For high-value accounts (email, banking): 80+ bits. For encryption keys protecting sensitive data: 128 bits minimum. A 20-character random password using uppercase, lowercase, and digits provides about 119 bits.

What makes a password weak?

Short length, limited character variety, common words, keyboard patterns (qwerty, 123456), repeated characters (aaaa), and predictable substitutions (p@ssw0rd) all reduce effective entropy and make passwords vulnerable to dictionary attacks.

Should I use a passphrase instead?

Passphrases of 4–6 random words (Diceware) can provide 50–75 bits of entropy and are easier to memorise. Use the Passphrase Generator to create one. For stored passwords managed by a password manager, a random 20-character string is stronger.

Does this replace checking against breach databases?

No. A password can be strong by entropy metrics but still appear in breach databases if it was used before. Use the Password Breach Check tool to verify a password has not been exposed.

What character set should I use?

Using all four types — uppercase (26), lowercase (26), digits (10), and symbols (~32) — gives a charset of about 94 characters. A 16-character password from this set has roughly 105 bits of entropy.

Privacy Tools /

Password strength checker

Evaluate password entropy, detect common patterns, and get actionable advice — all locally in your browser.

100% in your browser. Your password never leaves your device.

Type a password

—

How to use

Type or paste a password into the field above.
The strength meter and entropy calculation update in real time.
Review the analysis panel for specific weaknesses.
Use the suggestions to improve your password, or switch to the Password Generator to create a strong one automatically.

Common use cases

Password audit — check existing passwords before a security review.
Password policy — verify a candidate password meets entropy requirements.
Security training — demonstrate why substitutions like p@ssw0rd are not strong.
Passphrase evaluation — compare the entropy of a Diceware phrase against a random string.

Also see: Password Breach Check to verify against known breaches, and Passphrase Generator for memorable high-entropy alternatives.

Preguntas frecuentes

How is password strength measured?: This tool calculates Shannon entropy (log₂(charset_size ^ length)), penalises predictable patterns like repeated characters, common words, keyboard walks (qwerty, 123456), and sequences. The result is a composite score from Weak to Very Strong.
Is my password sent to any server?: No. All analysis happens in your browser in JavaScript. Nothing is transmitted anywhere.
What is entropy?: Entropy measures unpredictability in bits. A password with 60 bits of entropy would take 2⁶⁰ guesses to exhaust in a brute-force attack. Modern GPU-based crackers can test billions of hashes per second, so 60+ bits is a reasonable minimum for sensitive accounts.
How many bits of entropy do I need?: For most accounts: 60+ bits. For high-value accounts (email, banking): 80+ bits. For encryption keys protecting sensitive data: 128 bits minimum. A 20-character random password using uppercase, lowercase, and digits provides about 119 bits.
What makes a password weak?: Short length, limited character variety, common words, keyboard patterns (qwerty, 123456), repeated characters (aaaa), and predictable substitutions (p@ssw0rd) all reduce effective entropy and make passwords vulnerable to dictionary attacks.
Should I use a passphrase instead?: Passphrases of 4–6 random words (Diceware) can provide 50–75 bits of entropy and are easier to memorise. Use the Passphrase Generator to create one. For stored passwords managed by a password manager, a random 20-character string is stronger.
Does this replace checking against breach databases?: No. A password can be strong by entropy metrics but still appear in breach databases if it was used before. Use the Password Breach Check tool to verify a password has not been exposed.
What character set should I use?: Using all four types — uppercase (26), lowercase (26), digits (10), and symbols (~32) — gives a charset of about 94 characters. A 16-character password from this set has roughly 105 bits of entropy.

Reportar un problema con esta herramienta