Password Strength Checker

About This Tool

This tool analyses your password in real time and gives it an instant strength rating. Type any password — but never enter a real one you actually use — and the meter updates as you type. No data is stored or transmitted; everything runs locally in your browser.

A password like password123 looks passable but appears in every leaked database on the internet. It would be cracked in under a second by any modern attack tool. This checker helps you understand why a password is weak, not just tell you that it is.

What Makes a Password Strong?

• Length — aim for at least 12 characters; 16+ is excellent. Every extra character multiplies the difficulty exponentially.
• Character variety — mix uppercase (A–Z), lowercase (a–z), numbers (0–9), and symbols (!, @, #, $).
• Unpredictability — avoid names, dates, keyboard patterns (qwerty, asdf), and common substitutions (p@ssw0rd).
• No dictionary words — attackers run dictionary attacks first; even obscure words are risky on their own.
• Uniqueness — every account should have its own password; reuse means one breach exposes everything.

What This Tool Checks

• Password length (scored at 8, 12, and 16+ characters)
• Presence of uppercase letters, lowercase letters, numbers, and symbols
• Common passwords and dictionary words (password, 123456, qwerty, etc.)
• Repeated characters (aaa, 111) and sequential runs (123, abc)

Frequently Asked Questions

Is my password stored or logged?

No. All analysis runs entirely in your browser — your password is never sent to any server, stored, or logged. You should still avoid typing real passwords into any third-party tool as a general habit; use a made-up password to test the strength criteria, then apply the same rules to your real one.

How is password strength calculated?

The tool scores your password across several dimensions: total length (with bonus points at 8, 12, and 16+ characters), presence of uppercase letters, lowercase letters, numbers, and special characters, and penalties for common words, sequential runs (123, abc), and repeated characters (aaa). The final score maps to one of five labels: Very Weak, Weak, Moderate, Strong, or Very Strong.

What is password entropy?

Entropy measures the unpredictability of a password in bits. A password drawn from a pool of 26 lowercase letters has ≈4.7 bits of entropy per character; adding uppercase, digits, and 32 symbols raises the pool to 94 characters and ≈6.5 bits per character. A 16-character fully random password from that pool gives ≈104 bits of entropy — computationally infeasible to brute-force with current hardware.

How long should my password be?

NIST guidelines (SP 800-63B) recommend a minimum of 8 characters for user-chosen passwords, but 12–16 is a practical minimum for anything sensitive. For high-value accounts (email, banking, password manager master password) aim for 20+ fully random characters. Length has the biggest single impact on crack resistance.

Should I use a password manager?

Yes — strongly recommended. A password manager (such as Bitwarden, 1Password, or KeePass) generates and stores a unique, fully random password for every site. You only need to remember one strong master password. This eliminates password reuse — the single biggest cause of account takeovers after phishing.

What makes a password "Very Strong"?

A Very Strong password is 16+ characters long, uses all four character types (uppercase, lowercase, numbers, symbols), contains no dictionary words or recognisable patterns, and is unique to a single account. Ideally it is generated randomly by a password manager rather than chosen by a human — humans are predictably bad at choosing truly random strings.