Password Strength Checker & Entropy Analyzer

• Rates password strength from very weak to very strong
• Calculates entropy (bits) — 80+ bits is considered strong
• Estimates time to crack using brute force at various speeds
• Detects common patterns: keyboard walks, repeated characters, dictionary words
• All analysis runs locally — your password is never sent to any server

Use Cases

Frequently Asked Questions

How many bits of entropy is considered a strong password?

60+ bits is good for most online accounts. 80+ bits is strong for sensitive accounts. 100+ bits is very strong. For reference, a random 12-character alphanumeric password has ~71 bits of entropy.

Is a complex short password better than a long simple one?

No. Length is more important than complexity. 'correct-horse-battery-staple' (28 chars, lowercase only) is far stronger than 'P@ss1!' (6 chars, all character types) because it has exponentially more combinations.

Why is 'P@ssw0rd1!' rated as weak?

It follows the most common password pattern: capitalize first letter, substitute @ for a, 0 for o, add a number and symbol at the end. Attackers check these l33t speak substitutions first in dictionary attacks.

Is my password sent to a server for checking?

No. All password analysis runs entirely in your browser using JavaScript. Your password never leaves your device and is not stored anywhere.

Should I use a password manager instead of memorizing passwords?

Yes. Use a password manager (1Password, Bitwarden, KeePass) to generate and store unique random passwords for every account. Memorize only your master password — make it a strong passphrase.

How often should I change my passwords?

NIST 2024 guidelines recommend against forced periodic password changes. Change passwords only when you suspect compromise, a service reports a breach, or you find password reuse across accounts.