🦁 IP Animals
🔐 Generators & Security

Password Strength Checker

Estimate how strong a password really is — its entropy in bits, its character variety, and a rough time-to-crack — as you type. Everything runs locally in your browser and your password is never transmitted, logged or stored.

Nothing is sent anywhere — this runs entirely in your browser.

About the password strength checker

Password strength is really a question of guessability: how many attempts would an attacker need before they stumble onto yours? This tool answers that with a simple, transparent model. It looks at which character classes you have used — lowercase, uppercase, digits and symbols — to estimate the size of the pool an attacker must search, then multiplies by your length to produce an entropy figure in bits.

The pool sizes are the conventional ones: 26 for lowercase, 26 for uppercase, 10 for digits and roughly 33 for common symbols. Entropy is length × log2(pool size). Each extra bit doubles the search space, so small gains in length or variety pay off exponentially. From the entropy we derive a rough offline crack time, assuming a well-resourced attacker who has stolen a password database and can make about 10 billion guesses per second (1×1010/s) against a fast hash.

🔒 Your password never leaves this page

This is critical: the password you type is analysed entirely in your browser with JavaScript. It is never uploaded, transmitted, logged, stored or checked against any online list. Turn off your internet connection and the tool still works. Even so, avoid pasting a password you actively use on a shared or untrusted computer.

Reading the result

  • Entropy bits — higher is better. Under ~40 bits is weak; 60–80 is strong; 100+ is excellent.
  • Crack time — a comparison aid, not a promise. Real attackers may be faster or slower, and a password found in a breach list can fall instantly regardless of entropy.
  • Pattern flags — very common passwords and simple sequences are called out, because attackers try those first no matter how the maths looks.

This checker measures a password you already have; to make new ones, use our Secure Password Generator. If you are interested in how sites track you beyond passwords, our browser fingerprinting guide and the piece on whether an IP address is personal data are good next reads.

Frequently asked questions

Is my password sent anywhere when I check it?

No — never. The password you type is evaluated entirely in JavaScript inside your own browser. It is not uploaded, not logged, not stored, and not compared against any online list. You can disconnect from the internet and the checker still works. Nothing you type ever leaves this page.

What is password entropy?

Entropy measures unpredictability in bits. It is estimated as length multiplied by the base-2 logarithm of the character-set size. Each extra bit doubles the number of guesses an attacker needs, so an 80-bit password is astronomically harder to crack than a 40-bit one.

How is the crack time calculated?

We assume a fast offline attacker making 10 billion guesses per second (1×1010/s) — a reasonable figure for cracking a leaked password hash on modern hardware. Time-to-crack is roughly half the total number of possible combinations divided by that rate. It is an estimate for comparison, not a guarantee.

Does a longer password beat a complex one?

Usually, yes. Because entropy grows with length, a long passphrase of ordinary words can outperform a short string of mixed symbols. Adding character variety helps, but length is the most reliable way to push entropy up. A unique 16+ character password per site is a strong baseline.

Want the theory? Read the guides → · Visit the zoo →