Password Strength Tester

See how long a real attacker would take to crack your password — across four realistic scenarios.

0 characters
0.0 bits · 0 guesses (avg)

How long until cracked?

Online · throttled
~100 attempts/hour
Online · unthrottled
~10 attempts/second
Offline · slow hash
~10,000/second (bcrypt)
Offline · fast hash
~10 billion/second (MD5 GPU)

Detected patterns

  • Type a password above to begin analysis.

Suggestions

  • Suggestions appear once you start typing.

Your password never leaves this device — all analysis is in your browser.

What is this password strength tester?

This free, browser-only tool measures the real strength of a password by combining character-pool entropy with pattern detection (common-password lists, sequences, repeats, dates, keyboard runs and dictionary words), then projects realistic crack-times against four attacker scenarios.

How strong is my password really?

Type or paste a password and the tester shows its effective entropy, four crack-time estimates and exactly which patterns weaken it — all locally in your browser.

Key features

Four-scenario crack-time
See how long an online throttled, online unthrottled, offline bcrypt and offline MD5-GPU attack would take.
Pattern detection
Catches common passwords, sequences (1234, abc), keyboard runs (qwerty), repeats, years and date-like numbers.
Actionable suggestions
Tells you exactly what to add or remove to reach the next strength tier.
Private by design
Nothing is uploaded; the password lives only in the DOM and disappears on Clear.

How to use it

Type a password into the field. The strength label, entropy in bits and the four crack-time scenarios update live. The detected-patterns panel highlights weaknesses; the suggestions panel tells you what to fix.

Frequently asked questions

Is the password I type sent to a server?

No. The entire analysis runs in your browser. Nothing is uploaded, logged or saved to disk — closing the tab forgets the value.

What do the four attack scenarios mean?

They model realistic attacker capabilities: an online attack against a rate-limited login (100/hour), an online attack against an unprotected endpoint (10/second), an offline crack against a slow hash like bcrypt (10K/second), and an offline crack against a fast hash like MD5 or SHA-1 on modern GPUs (10 billion/second).

Why does the tool flag my password as weak when it has symbols?

Strength is not just about character variety. If the password is short, follows a common pattern (Password1!), contains a dictionary word, dates or keyboard runs, those patterns drastically reduce real-world entropy — even with a symbol thrown in.

Does it check breach databases?

It checks a built-in list of 2,000 most-common passwords from public breach compilations. For a full Have-I-Been-Pwned check, use the official k-anonymity API separately.

Penalty heuristics and rate assumptions are calibrated against the open-source zxcvbn estimator and current GPU benchmarks. Strength tiers map to NIST SP 800-63B guidance on memorized-secret entropy.