Password strength checker
Assess your password’s entropy and crack time.
- Instant
- Free
- Private (processed locally)
- No sign-up
Measure your password’s real strength
A “complicated” password is not necessarily strong. What matters is the number of combinations an attacker would have to test. This tool computes the entropy and an estimated crack time, and checks the right criteria.
How to use it
-
Type a password
Enter the one to assess (you can reveal it).
-
Read the score
Strength level, entropy in bits and estimated crack time.
-
Improve it
Follow the criteria to strengthen it (length, variety).
Length and crack time
Estimate for a password mixing letters and numbers, against 10 billion guesses per second:
| Length | Estimated crack time |
|---|---|
| 6 characters | A few seconds |
| 8 characters | A few hours |
| 10 characters | About a year |
| 12 characters | Thousands of years |
| 16 characters | Billions of years |
Adding symbols increases these times even further.
Tips
- Aim for 16 characters or more for important accounts.
- A unique password per service, kept in a password manager.
- Enable two-factor authentication (2FA) whenever possible.
The analysis runs locally. No password is sent or stored.
Frequently asked questions
What makes a password strong?
Above all its length, then the variety of characters (lowercase, uppercase, numbers, symbols) and its unpredictability. A long random password is far safer than a short but “complicated” one.
What is entropy?
Entropy measures a password’s “disorder” in bits: the higher it is, the more possible combinations there are. It is estimated as length × log₂(alphabet size). Above 70 bits, a password is considered strong.
How is crack time estimated?
We assume a brute-force attack able to test about 10 billion combinations per second, and take half of the total space as the average time. It is an indicative estimate, not a guarantee.
Is it safe to type my password here?
Yes: the analysis runs entirely in your browser. Nothing is sent or stored. As a precaution, still avoid testing on a shared or compromised device.
Can this tell me if my password was leaked?
No. It measures theoretical strength, not exposure in data breaches. For that, use a dedicated breach-check service and change any compromised password.