Security
Password Strength Analyzer
The Password Strength Checker analyzes a password and reports its entropy in bits, character set composition, detected patterns (keyboard walks, repeated sequences, common substitutions), and an overall strength rating. It uses the zxcvbn algorithm for realistic strength estimation that accounts for dictionary words, common passwords, and predictable patterns – not just character counts. All analysis runs locally in the browser.
How is password strength measured?
Password strength is commonly measured in bits of entropy: log2(possible passwords). A naive calculation based only on character set size and length overestimates strength for human-chosen passwords. The industry-standard zxcvbn library (developed by Dropbox) estimates strength by modeling how an attacker would actually attack a password: checking against a dictionary of 30,000+ common passwords and names, detecting l33tspeak substitutions (@ for a, 3 for e), keyboard walk patterns (qwerty, asdfgh), date patterns (19901010), and repeated characters. This gives a realistic crack-time estimate rather than a theoretical entropy value.
How does the tool work?
The tool runs zxcvbn on the input password in the browser. The library tokenizes the password into the sequence of patterns that would be most efficient for an attacker to guess and sums their individual entropies. The result is a score from 0 (very weak) to 4 (very strong), an estimated crack time under three attack scenarios (online throttled, online unthrottled, offline fast hash), a list of matched patterns and warnings, and specific suggestions for improving the password. The strength meter and crack time update as you type.
Typical Use Cases
- Evaluating whether a password you intend to use meets your security requirements
- Understanding why a seemingly complex password (P@ssw0rd!) is actually weak
- Comparing the strength of several candidate passwords before choosing one
- Integrating the strength checker into a sign-up form to guide users (using the zxcvbn library)
Step-by-step Guide
- Step 1: Type or paste the password you want to analyze into the input field.
- Step 2: The strength meter, entropy, score, and crack time estimate update in real time.
- Step 3: Read the pattern warnings and improvement suggestions.
- Step 4: Adjust the password and observe how changes affect the strength score.
Example
Input
P@ssw0rd!
Output
Score: 1/4 (Weak) | Entropy: ~20 bits | Crack time: seconds (common substitution pattern detected)
Tips & Notes
- Common substitutions like @ for 'a' and 0 for 'o' are well known to attackers and provide minimal security benefit.
- Adding random words or characters at the end of a dictionary word is much more effective than substituting characters within it.
- A randomly generated 16-character password scores 4/4 and has a crack time measured in centuries even with fast offline attacks.
Frequently Asked Questions
Why does 'P@ssw0rd!' score low despite using uppercase, digits, and symbols?
Because it is a very well-known pattern. Attackers use dictionaries that include common passwords and their leet-speak variants. The combination of 'password' with standard substitutions is one of the first patterns tried in any dictionary attack.
Does the tool send my password to a server?
No. The entire analysis runs in your browser using the zxcvbn JavaScript library. Your password never leaves your device.
What crack time scenario should I target?
Design your passwords to withstand offline fast hash attacks (e.g. a leaked bcrypt database being cracked on GPUs). Target crack times of centuries for this scenario, which requires a password scoring 4/4 in zxcvbn.
Password Strength Analyzer
Assess your password's strength with this client-side password strength analyzer and crack time estimator.
Open Tool