How do I check if my password is strong enough?

Paste your password into the checker. The tool calculates entropy in bits, estimates crack time at 1 billion guesses per second, detects predictable patterns like keyboard walks and leet speak, and gives targeted improvement suggestions. Aim for 72+ bits of entropy for sensitive accounts.

What is password entropy and why does it matter?

Password entropy measures unpredictability in bits. It is calculated from the character set size and password length: entropy = length × log2(character set size). Higher entropy means exponentially more possible combinations and longer crack times. A 40-bit password can be cracked in seconds; a 128-bit password would take longer than the age of the universe.

Is it safe to type my real password into a strength checker?

Yes — all calculations run entirely in your browser. No password, hash, or partial data is sent to any server. The tool uses pure JavaScript math (character set analysis, entropy formula, pattern matching). You can disconnect from the internet before using it to verify.

What makes a password truly strong?

A strong password is long (16+ characters), uses a large character set (lowercase, uppercase, digits, symbols), and avoids predictable patterns. Avoid dictionary words, names, dates, keyboard sequences like "qwerty", and leet substitutions like "p@ssw0rd". A strong passphrase of 5+ random words can also be very secure and easier to remember.

All tools

Password Audit & Policy Generator

Strength checker, entropy, NIST 2024 compliance, character composition · 100% in browser

100% in-browserNo signupFree forever

Check password strength

All analysis runs in your browser — nothing is sent to any server.

Runs in your browser — nothing is sent to any server. NIST SP 800-63B aligned.

Need to generate a strong password? →

What Is a Password Strength Checker?

A password strength checker analyses a password's randomness and resistance to attack without ever sending it to a server. It calculates entropy — a measure of unpredictability in bits — by looking at the size of the character pool (lowercase, uppercase, digits, symbols) and the password's length. More bits means an attacker must try exponentially more combinations.

Beyond raw entropy, a good checker detects structural weaknesses: keyboard walks like qwerty or 12345, leet speak substitutions like p@ssw0rd, and year patterns like 2024 — all of which dramatically reduce effective entropy even when character diversity looks adequate. The tool also estimates crack time at 1 billion guesses per second (a realistic offline attack rate) so you can see exactly how much time your password buys.

How it works

Audit Your Password in Seconds

Type your password

Paste or type a password into the checker. All processing is local — nothing leaves your device.

See entropy & score

Instantly view entropy in bits, strength label (Very Weak to Extreme), and crack time at 1B guesses/second.

Review pattern warnings

The tool flags keyboard walks, leet speak, and year patterns that reduce real-world security.

Follow improvement suggestions

Get specific, actionable tips to increase entropy and remove detectable patterns.

Password Entropy & Crack Time Reference

The table below shows how entropy bits translate to real-world crack times at 1 billion guesses per second — a conservative estimate for a modern GPU-based offline attack. Character set size has a major impact: adding symbols or uppercase letters increases the pool and therefore the entropy per character.

Entropy	Rating	Crack time (1B/s)	Example
~40 bits	Weak	Seconds to minutes	6-char lowercase + digits
~56 bits	Fair	Hours to days	8-char mixed case + digits
~72 bits	Good	Centuries	12-char full set (upper+lower+digit+symbol)
~128 bits	Excellent	Heat death of the universe	20-char full set or 6-word passphrase

Character set impacts: digits only (10 chars) gives 3.32 bits per character; lowercase only (26) gives 4.7 bits; full printable ASCII (~95) gives 6.57 bits. Adding just one character type can add 1–2 bits per character — significant at scale.

Use cases

When Developers Audit Passwords

🛡️

Validate Password Policy

Check whether a proposed password policy actually produces strong passwords by testing representative examples.

🔍

Audit Existing Passwords

Review legacy passwords in migration projects to identify weak ones that should be reset before go-live.

🚀

User Onboarding Flows

Validate minimum entropy requirements during account creation to enforce better hygiene from the start.

📋

Compliance Checks

Verify password policy meets NIST SP 800-63B requirements for length, complexity, and banned patterns.

🔑

API Key Strength

Check that generated API keys or secrets have sufficient entropy before deploying to production.

🗣️

Passphrase Evaluation

Compare entropy of passphrases vs. random passwords to choose the right strategy for different use cases.

FAQ

Frequently Asked Questions

1Is it safe to type my real password here?

Yes. All calculations happen entirely in your browser using JavaScript. No password, hash, or any data is sent to a server. You can disconnect from the internet before using the tool to confirm this.

2How is entropy calculated?

The tool uses the Shannon entropy formula: entropy = length × log₂(character set size). The character set size depends on which categories are present — lowercase (26), uppercase (26), digits (10), and symbols (~33). It also applies a penalty for detected patterns like keyboard walks and leet substitutions.

3What is the difference between zxcvbn and raw entropy?

Raw entropy measures the theoretical search space based on character set and length. zxcvbn (a common password strength estimator by Dropbox) also checks against dictionary lists, common patterns, and known password structures. This tool uses raw entropy plus custom pattern detection, giving you precise bit counts alongside structural weakness warnings.

4What qualifies as a strong password?

A password with 72+ bits of entropy, no detectable keyboard patterns, no dictionary words, and no predictable sequences like years or names. For sensitive accounts (email, banking, admin) aim for 80+ bits. A 16-character password using the full character set achieves around 105 bits.

5Is it safe to type a password into a website to check it?

Only when the tool is fully client-side, as this one is. You can verify by opening browser DevTools > Network tab and confirming zero outbound requests while typing. Never enter passwords into tools that make server requests.

6What is a password security audit?

A password security audit analyzes strength, entropy, detectable patterns, and breach status. It provides specific feedback: crack time estimate, pattern warnings (keyboard walks, leet speak, years), and improvement recommendations.

7How do I check if my password has been leaked?

Use the HIBP check. This tool sends only the first 5 characters of your password SHA-1 hash to the HIBP API. The API returns matching hashes; your browser checks if your full hash is in the list. Your actual password is never transmitted.

8What is Have I Been Pwned?

HIBP is a free service by Troy Hunt that lets you check if a password or email appeared in known data breaches. The password database contains billions of passwords from real breaches, checked via k-anonymity.

9How is password crack time calculated?

Crack time = 2^(entropy bits) / 1,000,000,000 seconds at 1 billion guesses per second (a realistic GPU offline attack rate). A 72-bit password has ~4.7 quintillion combinations — trillions of years to crack.

10What is a dictionary attack?

A dictionary attack uses a list of common words and known passwords (like the 14-million-entry rockyou.txt wordlist) to guess a password. If your password or a variation appears in such lists, it can be cracked in seconds.

11What is credential stuffing?

Credential stuffing is an attack where stolen username/password pairs from one breach are tried against other sites. Using unique passwords for every account (stored in a password manager) prevents credential stuffing.

12What makes a password weak?

Weak passwords include common words, short length (under 10 characters), keyboard walks like "qwerty", leet substitutions like "p@ssw0rd", year patterns, and passwords that appear in data breaches.

13Is it safe to type my real password here?

Yes. All analysis runs in your browser. No password or hash is sent to any server. Check DevTools Network tab while typing to confirm no requests are made.

Learn more

Developer Guides

📖Security in APIs Guide 📖Password Policy Best Practices 📖Auth Token Security 📖Securing API Credentials

Feedback for password_audit

Tell us what's working, what's broken, or what you wish we built next — it directly shapes our roadmap.

You make the difference

Good feedback is gold — a rough edge you hit today could be smoother for everyone tomorrow.

Feature ideas often jump the queue when lots of you ask.
Bug reports with steps get fixed faster — paste URLs or examples if you can.
Name and email are optional; we won't use them for anything except replying if needed.

Stay Updated

Get the latest tool updates, new features, and developer tips delivered to your inbox.

What you'll get

Product updates & new tools
JSON, API & developer tips
Unsubscribe anytime — no hassle

Get in touch

Feature ideas, bugs, or a quick thanks — we read every message.

support@unblockdevs.com