Password Strength Checker
Test how strong a password is, see its entropy and estimated crack time, and get plain-English weaknesses — all in your browser.
The Password Strength Checker analyzes your password entirely in your browser. Whatever you type into the field stays on your device — it is never uploaded, logged, or sent to ArrayKit.
Open the Password Generator
About Password Strength Checker
The Password Strength Checker measures how hard a password would be to guess and explains why. Type or paste one and it computes a 0-4 strength score, estimated entropy in bits, and a rough offline crack time, then breaks down which character classes you used — lowercase, uppercase, digits, and symbols. It also flags concrete weaknesses: passwords that are too short, use only one character type, match a very common or breached password, or contain repeated characters, sequential runs like abcd, or keyboard walks like qwerty. A masked field with a reveal toggle keeps your password hidden while you work. It is built for anyone hardening an account or a signup form. Every calculation runs on your device — the password never leaves the browser.
Features
- Scores any password from 0 (very weak) to 4 (very strong) as you type
- Estimates entropy in bits from the character pool and length
- Shows a rough offline crack-time estimate in plain language
- Breaks down composition: lowercase, uppercase, digits, and symbols used
- Flags too-short passwords and single-character-class passwords
- Detects common or breached passwords, repeats, sequences, and keyboard patterns
- Masked input with a reveal toggle so the password stays hidden
- Runs entirely in your browser — the password is never uploaded
How to use the Password Strength Checker
- Type or paste the password into the masked field
- Read the strength score, entropy in bits, and estimated crack time
- Use Reveal to confirm you typed the password correctly
- Fix each weakness listed under "What we found" and re-check
Example
Input
password
Output
Score 0 / Very weak · flagged: very common password · crack time: instantly
"password" is on every breach list, so it falls to a dictionary attack immediately.
Common errors & troubleshooting
- A long password still scores low. — Length alone is not enough. Check the "What we found" list — a common word, a keyboard walk like qwerty, or a repeated run can hold the score down. Mix character types and avoid predictable patterns.
- The entropy looks high but the score is capped. — Entropy assumes random characters. If the password matches a common one or uses a single character class, the score is deliberately lowered because a real attacker would not brute-force it blindly.
- The crack time seems too optimistic or too pessimistic. — It is a rough estimate assuming a fast offline attack at about 10 billion guesses per second against a weak hash. Slow, salted hashes like bcrypt take far longer; a leaked plaintext takes none.
Frequently asked questions
- How does the Password Strength Checker score a password?
- It combines the estimated entropy from your password's length and character pool with penalties for structural weaknesses — common passwords, single character classes, repeats, sequences, and keyboard walks — to produce a 0-4 score and a one-word verdict.
- What does the entropy in bits actually mean here?
- Entropy in bits is roughly log2 of the number of guesses needed to brute-force the password: length times log2 of the character pool. More bits means exponentially more possibilities, so 60+ bits is meaningfully stronger than 30.
- How is the crack-time estimate calculated?
- It divides the average number of guesses (half the search space implied by the entropy) by an assumed attacker speed of about 10 billion guesses per second, then rounds to a readable unit like hours, years, or centuries.
- Which weak patterns does this password checker detect?
- It flags passwords that are too short, use only one character type, match a small embedded list of very common passwords, or contain repeated runs, ascending or descending sequences like abcd, and straight keyboard walks like qwerty or asdf.
- Is it safe to type a real password into this checker?
- The analysis happens entirely in your browser and the password is never sent anywhere, so it is safe to test. Still, as a general habit, avoid pasting a live production password into any web page you do not fully trust.
- Does a high score here guarantee my account is secure?
- No. A strong score means the password itself is hard to guess, but account security also depends on unique passwords per site, breach exposure, and two-factor authentication. Treat the score as guidance, not a guarantee.
Related tools
- Password Generator — Generate strong, random passwords with a strength meter (crypto-secure).
- Hash Generator — SHA-256 / SHA-1 / SHA-384 / SHA-512 via the Web Crypto API.
- Bcrypt Generator — Hash a password with bcrypt and verify a password against a bcrypt hash, in your browser.
- TOTP / 2FA Generator — Generate time-based one-time passwords (2FA codes) from a base32 secret.
- UUID Generator — Generate one or many random UUID v4 values.
- HMAC Generator — Generate an HMAC (SHA-256, SHA-1, SHA-512) from a message and secret key using Web Crypto.
All ArrayKit tools