Skip to content
TextArray
100% local

Password strength checker

Estimate password entropy, crack time and concrete weaknesses — locally, in your browser.

Input
Output

Password strength checker

Type or paste a password — or several at once, one per line — and get an instant strength report. For each password you see a verdict from very weak to very strong, the estimated entropy in bits, the size of the character set it actually draws from, its length, and how long an offline attacker guessing ten billion passwords per second would need to search the whole keyspace.

Instead of a bare score, the checker names concrete weaknesses. It flags passwords built only from lowercase letters, missing digits or symbols, common passwords and keyboard walks such as qwerty or asdf, repeated characters like aaa, sequences such as abc or 123, and the classic year tacked onto the end. Every detected pattern lowers the entropy estimate, because real attackers try exactly these shortcuts long before brute force.

Turn off Show details for a compact one-line summary per password — useful when you are comparing candidates or auditing a whole list at once. The tally under the output counts the passwords checked and shows their average entropy, updating live as you type.

Typing a password into a website normally feels wrong, and the instinct is a healthy one. Here the analysis runs entirely in your browser: the page makes no network requests, nothing is logged or stored, and the password never leaves your device — you can verify that in your browser's developer tools. If something scores weak, open the password generator next door and create a stronger replacement in one click.

FAQ

How is the strength calculated?
As an entropy estimate: length × log2 of the character set the password actually uses, minus flat penalties for detected patterns such as common passwords, keyboard walks, repeats, sequences and year suffixes. It is a quick, honest approximation — not a full cracking model like zxcvbn — so treat the bits as a guide, not a guarantee.
What does the crack time mean?
The time to try every combination at 10 billion guesses per second — a realistic rate for an offline attack on a leaked database of fast hashes. Online login forms are rate-limited and far slower, while slow hashes like bcrypt stretch the time considerably. Read it as an order of magnitude, not a countdown.
What actually makes a password strong?
Length, above all. Four or more random words, or 16+ random characters, beat a short password with clever substitutions. Avoid names, years, keyboard patterns and anything you have used elsewhere — and let a password manager remember the result.
Is my password sent anywhere?
No. The check runs entirely in your browser — the page makes no network requests, and nothing you type is uploaded, logged or stored. The password never leaves your device.