Password Strength Meter
This tool analyzes the strength of any password in your browser and tells you how long it would take an attacker to crack it. It calculates entropy, identifies character set size, detects common patterns and dictionary words, and shows an estimated crack time at different attack speeds. Your password never leaves your device. The tool is free, requires no login, and works offline once the page loads.
Evaluated locally. Never sent to any server.
Enter a password
Password checks run in your browser. Your password is never sent to a server or stored on this device.
How this tool works
The password strength meter evaluates a password you type locally -- nothing is sent to any server -- using the zxcvbn algorithm, a research-backed estimator that goes beyond character-class rules. zxcvbn matches the password against a dictionary of 30,000+ common passwords, English words, names, keyboard walk patterns (qwerty, 12345), date formats, and repeated character sequences. It estimates the number of guesses required to crack the password and converts this to a crack time estimate at 10^10 guesses/second (a GPU-accelerated offline attack). The score (0-4) maps to: 0 = too guessable (under 10^3 guesses), 1 = very guessable (10^3-10^6), 2 = somewhat guessable (10^6-10^8), 3 = safely unguessable (10^8-10^10), 4 = very unguessable (above 10^10). Actionable feedback explains which pattern made the password weak (common word, keyboard pattern, predictable substitution). Key assumption: the strength estimate is calibrated to an offline brute-force attack. For online attacks, where the server throttles guesses, even a score-2 password is effectively uncrackable in practice within a normal account lifetime. Edge case: visually complex passwords that follow known substitution patterns score poorly because attackers use those same substitution rules. 'P@ssw0rd!' scores 0-1 on zxcvbn because it matches well-known substitution patterns in every modern wordlist, while a longer phrase with uncommon words scores 3-4 despite containing no symbols.
Worked example
You want to know if a site password is good enough. Paste it here, read the issues list, and follow the suggestions before you save it in your password manager.
Frequently asked questions
Why does a long password with only lowercase letters sometimes score weak?
If the password contains dictionary words, keyboard patterns, or predictable sequences, the effective entropy is much lower than the raw calculation suggests. For example, correct horse battery staple has 4 common words from a 2,000-word everyday vocabulary, giving an effective entropy of roughly 4 * log2(2000) = 44 bits, not the 182 bits its 28-character length would suggest with random characters. The pattern detector catches this.
Is my password sent anywhere?
No. The entire analysis runs in your browser's JavaScript engine. Your password does not leave your device at any point. You can verify this by opening your browser's DevTools Network tab while typing: you will see no outbound requests containing your password. This is critical because sending a password to an external \\\"strength checker\\\" defeats the purpose entirely.
What crack time scenarios does the tool use?
Three scenarios: online attack at 100 guesses per second (represents a login form with rate limiting), offline attack against a slow hash like bcrypt at 10,000 guesses per second, and offline attack against a fast hash like unsalted MD5 at 10 billion guesses per second. The last scenario applies when an attacker has stolen a database of hashed passwords and is cracking them locally with a GPU cluster.
Does NIST still recommend complex character requirements?
No. NIST SP 800-63B (2020) updated its guidance: length is more important than complexity. NIST now recommends focusing on minimum 8-character minimums (with 15 or more encouraged), checking against known breached password lists, and not requiring periodic password changes unless there is evidence of compromise. Mandatory symbols and mixed case requirements produce predictable substitutions that do not meaningfully increase security.
What is a \"keyboard walk\" and why does it matter?
A keyboard walk is a sequence of characters adjacent on a keyboard, like qwerty, asdf, zxcv, or 12345. These sequences are extremely common in user-chosen passwords and appear high in every cracking dictionary. Even though qwerty123 has 8 characters, it is one of the first sequences any attacker tries. The tool detects horizontal, vertical, and diagonal keyboard walks and applies entropy penalties accordingly.
How accurate is the crack time estimate?
The crack time estimates are based on known attack speeds for specific hash algorithms. They represent current GPU cluster capabilities as of 2026 for consumer-grade hardware. Nation-state attackers with dedicated hardware may crack hashes 10-100x faster. The estimates should be read as approximate orders of magnitude: seconds vs. hours vs. years. A password showing \\\"3 minutes to crack\\\" is effectively insecure. One showing \\\"10,000 years\\\" is safe for all practical purposes.