Password Strength Meter
Analyze password strength with entropy calculation, crack time, and visual feedback.
About Password Strength Meter
This tool analyzes your password strength in real-time using multiple criteria including length, character diversity, repeated characters, and sequential patterns. It calculates Shannon entropy (in bits) which measures the randomness of your password, and estimates crack time assuming 10 billion guesses per second (modern GPU attack speed). The checklist shows exactly which criteria your password meets and which need improvement. All analysis happens locally in your browser — your password is never transmitted anywhere.
How Password Strength Is Measured
Password strength is calculated using entropy — a measure of how unpredictable the password is. Entropy is calculated from the password's length and the size of the character set used. A password using only lowercase letters draws from a pool of 26 characters. Adding uppercase adds 26 more, numbers add 10, and symbols add around 32 — giving a pool of up to 94 characters. Every character you add multiplies the total combinations by the pool size.
Entropy is measured in bits. Each bit doubles the number of possible values. A password with 40 bits of entropy has about 1 trillion possible combinations. Modern GPUs can test billions of passwords per second, so 40 bits is no longer strong. Aim for at least 60–80 bits of entropy for important accounts.
Why Pattern-Based Passwords Are Weak
Common substitutions like replacing 'a' with '@', 'o' with '0', or 'e' with '3' are completely known to password cracking tools. Dictionary-based attacks include these substitutions automatically. A password like P@ssw0rd! is not strong despite containing uppercase, lowercase, numbers, and symbols — it matches a pattern that is tested early in every modern attack.
True strength comes from randomness, not complexity rules. A randomly generated 16-character password is exponentially stronger than a memorable word with substitutions, even if the memorable password technically meets complexity requirements.
Estimated Crack Times Explained
The crack time estimates shown are based on an offline attack using modern GPU hardware capable of testing approximately 10 billion passwords per second — a realistic assumption for a motivated attacker with access to leaked password hashes. Online attacks against live login forms are much slower due to rate limiting, so even weaker passwords are relatively safe against online brute force, but not against database breaches.
Knowledge Base
The Password Strength Meter analyzes password strength with entropy calculation, estimated crack time, and visual feedback. It helps you create passwords that are truly resistant to brute-force and dictionary attacks.
- 1Type or paste a password to analyze.
- 2View the strength rating, entropy, and estimated crack time.
- 3Follow the suggestions to improve your password strength.
Password analysis happens entirely in your browser — your password is never transmitted to any server or stored anywhere. The assessment is instant and completely private, making it safe to test even your most sensitive passwords.
How is password strength calculated?
The tool calculates entropy based on the character pool size and password length, then estimates crack time assuming a sophisticated attacker making billions of guesses per second. It also checks for common patterns.
Is my password sent to any server?
Absolutely not. All password analysis happens locally in your browser. Your password is never transmitted, stored, or logged anywhere. It's safe to test even your actual passwords.