Home
/
Apps
/
Password Strength Checker

Password Strength Checker

Estimate your password's entropy, see which security criteria it meets, and find out how long it would take to crack under different attack scenarios.

Estimate your password's entropy, see which security criteria it meets, and find out how long it would take to crack under different attack scenarios.

Don't use a password you currently use elsewhere - try a similar pattern instead.

Share this app

Password Strength Checker

What this calculator does

Estimates how hard a password is to guess by brute force, using the same entropy math security tools use internally. It checks which character classes your password uses, scores it against common security criteria (length, character variety, absence from common-password lists, no obvious repeated/sequential patterns), and estimates how long it would take to crack under three different attacker scenarios - from a rate-limited login form to an offline GPU cracking rig.

Formula used

Step 1 - Character pool size. The calculator detects which classes of characters appear in your password and sums their pool sizes:

  • Lowercase letters (a-z): 26
  • Uppercase letters (A-Z): 26
  • Digits (0-9): 10
  • Symbols (!@#$... etc.): 32
  • Any other character (e.g. non-Latin script): adds 100 to the pool

Step 2 - Entropy, in bits, assuming each character was chosen independently at random from that pool:

Entropy=Length×log2(PoolSize)Entropy = Length \times \log_2(PoolSize)

Step 3 - Expected crack time. For a brute-force attacker guessing at a given rate, the average case (not worst case) is half the full keyspace:

CrackTimeseconds=2Entropy2×GuessesPerSecondCrackTime_{seconds} = \frac{2^{Entropy}}{2 \times GuessesPerSecond}

This is calculated for three scenarios:

Scenario Guesses/second Represents
Online, rate-limited 10 A login form with lockouts/throttling
Offline, slow hash 10,000 A leaked database hashed with bcrypt/Argon2/scrypt
Offline, fast hash / GPU 10,000,000,000 A leaked database hashed with fast, unsalted hashes (e.g. MD5) cracked on GPU hardware

If your password (or a close variant of it) appears on well-known common-password lists, the calculator overrides the entropy-based score and reports it as very weak regardless of length - real attackers try these lists first, before brute force.

How to use it

  1. Enter the password you want to test. Don't type a password you currently use - use a similar-pattern stand-in instead, since the value is sent to the calculator to be scored.
  2. Select the attack scenario you're most concerned about (this only affects the highlighted summary line - the table below always shows all three).
  3. Submit to see your entropy in bits, an overall strength score, which security criteria you meet, and estimated crack times.

Example

A password like Tr0ub4dor&3 (11 characters, mixing all four classes) has a pool size of 26 + 26 + 10 + 32 = 94:

Entropy=11×log2(94)11×6.5572 bitsEntropy = 11 \times \log_2(94) \approx 11 \times 6.55 \approx 72 \text{ bits}

Against an offline slow-hash attacker (10,000 guesses/second):

CrackTime=2722×10,0008.0×109 yearsCrackTime = \frac{2^{72}}{2 \times 10{,}000} \approx 8.0 \times 10^{9} \text{ years}

That looks reassuring on paper, but it assumes the password is genuinely random. In practice, real passwords built from words and substitutions (like this one) are far more guessable than raw entropy suggests, because attackers use dictionaries and pattern rules, not pure brute force - which is exactly why length and true randomness (e.g. a password manager's generator) beat clever-looking substitutions.

Notes

  • This is a brute-force entropy estimate, not a guarantee - it does not detect every possible pattern (keyboard walks, leetspeak dictionary words, personal information) that real cracking tools exploit.
  • Nothing you enter is stored - it's used only to compute the result shown on this page.
  • Longer passwords beat complex-looking short ones: 20 random lowercase letters (94 bits) are far stronger than an 8-character password using all four character classes (~52 bits).