Password Strength & Entropy Checker

Measure a password's entropy in bits and estimate how long it would take to crack.

Updated: June 26, 2026

Password to test

Nothing is sent anywhere — analysis happens entirely in your browser.

Entropy: 0 bits
Charset: 0
Crack time: —

How strong is your password, really?

This checker estimates the strength of a password by computing its entropy — a measure, in bits, of how unpredictable it is. It detects which character classes you used (lowercase, uppercase, digits, symbols), derives the size of the resulting pool, and multiplies by the length to estimate the bits of entropy. From there it projects roughly how long an offline attacker would need to crack it. Everything runs locally — your password is never sent anywhere.

Reading the results

Entropy (bits) — higher is better. Under ~36 bits is weak; 60–80 is reasonable; 100+ is strong; 128+ is effectively uncrackable by brute force.
Charset size — the number of distinct characters available based on what you used. More classes means a bigger pool per character.
Crack time — an estimate assuming a fast offline attacker making about 10 billion guesses per second against a stolen hash database.

Why entropy, not "rules"?

Old-school password rules ("must contain a number and a symbol") are a weak proxy for security. P@ssw0rd1 satisfies most rules yet is trivially guessed, while correct horse battery staple breaks the symbol rule but is far stronger. Entropy captures what actually matters: how large the space of possibilities is. That said, raw entropy assumes a random password — a dictionary word with predictable substitutions has far less effective entropy than its character count suggests, because attackers try those patterns first.

A note on the limits of this estimate

This tool uses the standard length × log₂(pool) model, which is a good indicator for random passwords like those from a generator. It does not detect dictionary words, keyboard walks ("qwerty"), repeats, or personal information — real attackers exploit all of these. So treat a high score as necessary but not sufficient: a 20-character string of random output is strong; a 20-character sentence you'd find online is not, even if the bit count looks similar.

Make a strong one

If your password scores poorly, generate a fresh one with our password generator, which produces genuinely random output that this checker will rate highly. For storing passwords on a server, hash them with bcrypt rather than keeping them readable.

Frequently asked questions

Is it safe to type my real password here?

Yes. The analysis runs entirely in your browser with JavaScript. Your password is never transmitted, logged or stored. You can confirm this in your browser's Network tab.

What is a good entropy in bits?

Aim for at least 60–80 bits for everyday accounts and 100+ bits for important ones. Above 128 bits, brute-forcing is computationally infeasible.

Why does my passphrase score lower than I expected?

The estimate is based on character classes and length. A passphrase of real words has high length but lower effective randomness, because attackers guess common words first. Random output of the same length scores and resists attacks better.

Does a longer password always beat a complex short one?

Usually yes. Each extra character multiplies the search space, so length adds entropy faster than adding a single symbol to a short password.

Tools that improve password hygiene

Once you know a password is weak, these help you fix the root cause:

Password manager Audit weak and reused passwords across all your accounts and replace them with strong unique ones.
Breach monitoring service Get alerted when your credentials appear in a known data breach so you can rotate them quickly.