Security

Password strength checker

Type a password and we show you its entropy in bits, how strong it is, the estimated time to crack it and a checklist of improvements. Everything runs in your browser — nothing is sent.

Instant🔒In your browserNo signup
Live

🔒 Everything is computed in your browser. Nothing is sent to any server.

Type something to begin

What entropy is and why it is measured in bits

Entropy is the mathematical way of stating how unpredictable your password is. It is measured in bits: each additional bit doubles the number of combinations an attacker would have to try. The formula we use is length × log₂(alphabet size), where the alphabet size sums the character classes present: lowercase contributes 26, uppercase another 26, digits 10 and common symbols 33. So a 12-character password mixing lowercase, uppercase and digits uses an alphabet of 62 and has about 71.5 bits of entropy.

Why length beats complexity

This is the most important and the most misunderstood concept. Entropy grows linearly with length but only logarithmically with alphabet size. In plain terms: adding one more character multiplies the search space by the whole alphabet, while adding a class of exotic symbols only adds a handful of bits. A 16-character all-lowercase password (about 75 bits) is stronger than an 8-character one with symbols, uppercase and numbers (about 52 bits). That is why the modern recommendation is length first, variety second.

Passphrases

The most practical way to have a long password a human can remember is a phrase made of several random words. Four or five unrelated words (like "correct-horse-battery-staple") comfortably clear 60 bits and are far easier to memorize than a jumble of symbols. The key is that the words are genuinely random — not a famous phrase or a quote: a dictionary of set phrases cracks those quickly.

Password managers

If you have to remember dozens of keys, sooner or later you will reuse one, and that is the most costly security mistake: when a site is breached, the attacker tries your key everywhere else. A password manager solves this by generating a unique, long, random password for each site and storing it encrypted. You only memorize one strong master password. It is the biggest security improvement you can make for the least effort.

How we estimate crack time

We assume an offline attacker who has already obtained your password hash and can try about 10 billion (10¹⁰) combinations per second — a realistic speed for modern GPUs against fast hashes. We divide half the combination space (the average needed to find the key) by that speed. The result is an order-of-magnitude estimate: it tells you whether your password falls in seconds, in years or in centuries, not an exact clock. Against a slow, well-salted hash (like bcrypt or Argon2), the real time would be vastly longer.

Reference: entropy and crack time

Approximate bands assuming 10¹⁰ guesses per second offline. Time is the average needed to find the key.

EntropyRatingEstimated crack time
< 28 bitsVery weakInstant
28 – 35 bitsWeakSeconds to minutes
36 – 59 bitsFairMinutes to years
60 – 127 bitsStrongCenturies or more
≥ 128 bitsVery strongPractically unbreakable

FAQ

What is password entropy?

A measure in bits of how unpredictable it is. Calculated as length × log2(alphabet size), summing the character classes present (lowercase 26, uppercase 26, digits 10, symbols 33). More bits, more possible combinations.

How many bits are safe?

Under 28 very weak, up to 36 weak, up to 60 fair, up to 128 strong, 128 or more very strong. Aim for at least 60 bits for important accounts.

Why does length beat exotic symbols?

Because entropy grows linearly with length and only logarithmically with the alphabet. Adding a character multiplies combinations by the whole alphabet; adding a class barely adds bits.

How is crack time estimated?

Assuming an offline attacker trying ~10^10 combinations per second, dividing half the space by that speed. It is an order-of-magnitude estimate.

Is my password sent to a server?

No. All analysis happens in your browser; the password never leaves your device and is never stored.

What is a common password?

Keys from breach lists like "123456" or "qwerty". An attacker tries them first with a dictionary, so theoretical entropy does not protect you.

Should I use a passphrase or a manager?

Both. A passphrase of 4-5 random words clears 60 bits and is easy to recall; a manager generates unique keys per site so you never reuse the same one.

Was this generator useful?