Analyze password strength with detailed entropy calculations, crack time estimates, and actionable improvement suggestions. Everything runs locally in your browser.
Your password is never sent to any server. All analysis happens locally in your browser.
Enter a password to see its strength analysis
Online attackstarget login forms directly and are limited by rate limiting, CAPTCHAs, and account lockouts — typically 10–1,000 guesses per second. Offline attacks occur when an attacker obtains a leaked password hash database. With a modern GPU cluster, they can test 100 billion hashes per secondagainst algorithms like MD5, or 10 million per second against bcrypt. This is why the same password can be “safe for centuries” online but crackable in hours offline.
Our checker computes the theoretical charset size N based on the character types present: lowercase (+26), uppercase (+26), digits (+10), symbols (+32). Multiplied by length L, this gives raw entropy. We then apply penalties for detectable patterns: repeating characters (e.g., “aaa”) reduce effective entropy, sequential runs (“abc”, “123”) indicate predictability, and common password prefixes (“password”, “admin”) dramatically lower the score because attackers try these first.
Attackers don't brute-force randomly. They follow a hierarchy: 1) Common passwords (top 10,000 list, under 1 second). 2) Dictionary words with common substitutions (p@ssw0rd, under 1 minute). 3)Hybrid attacks combining words + numbers (“monkey2024”, under 1 hour). 4)Full brute-force (last resort, time depends entirely on entropy). Our checker flags passwords vulnerable to steps 1–3 with specific suggestions, not just a generic “weak” label.
A strong password is necessary but not sufficient. Enable two-factor authentication (2FA)— even a compromised password is useless without the second factor. Use a password manager so every account gets a unique, maximum-entropy password. Monitor for breaches via services like Have I Been Pwned. The goal is not just a strong password but a security posture where no single failure is catastrophic.
Online attacks are throttled by the server (account lockouts, rate limits, CAPTCHAs), typically allowing 10–1,000 attempts per second. Offline attacks run against stolen hash files with no server involvement — a single RTX 4090 GPU can compute 164 billion MD5 hashes per second. The difference between these scenarios can be 8+ orders of magnitude, which is why the same password shows wildly different crack times.
Enormously. Fast algorithms like MD5 or SHA-1 can be cracked at billions of hashes per second. Modern password-specific algorithms like bcrypt, scrypt, or Argon2 are deliberately slow — bcrypt at cost factor 12 limits attacks to ~3,000 hashes per second per GPU. Our estimates use a general-purpose rate. If a service uses bcrypt/Argon2, your actual protection is orders of magnitude better than shown.
Length alone doesn't guarantee strength. Our checker detects patterns that dramatically reduce effective entropy: common password bases (“password123!”), keyboard walks (“qwertyuiop”), repeated characters (“aaabbbccc”), and sequential runs (“abcdef123456”). These patterns appear in attacker wordlists and are tried within the first minutes of any attack, regardless of length.