Password Strength Checker
See how strong your password really is. Entropy, character composition, common-password penalties, breach-database lookup (anonymized), and an estimated time-to-crack — all computed inside your browser.
How the Score Works
This tool computes a composite score from four signals: character pool size, length, common-password penalty, and pattern detection (sequential, repeated, keyboard walks). Together they produce an entropy estimate in bits.
scoring bands:
< 28 bits → very weak (cracked in minutes)
28–35 → weak (cracked in hours)
36–59 → moderate (days–months)
60–127 → strong (years–centuries)
≥ 128 → excellent (effectively uncrackable)
Frequently Asked Questions
Does this tool send my password anywhere?
No. Entropy scoring and crack-time estimation run entirely in your browser. The breach check uses k-anonymity — only the first 5 characters of the SHA-1 hash leave your device, never the password itself.
What is k-anonymity?
We hash your password locally with SHA-1, then send only the first 5 hex characters to the Have I Been Pwned public API. The API returns hundreds of partial matches; we filter them in your browser. Your actual password never leaves your device.
What makes a strong password?
Length matters more than complexity. A 16-character random passphrase beats an 8-character symbol soup. Aim for 60+ bits of entropy — roughly 12+ random characters or 4+ random words.