Password Strength Checker

Measure password strength by entropy (bits) and offline crack time at modern GPU speeds. Runs entirely in your browser. Type or paste a password — characters are never transmitted, not even to count.

How to use the Password Strength Checker

Type any password. The tool computes the character set size (a-z, A-Z, 0-9, symbols — whichever you used), then entropy as length × log2(set size). The crack-time estimate assumes 1 trillion guesses per second — a reasonable upper bound for offline attacks against fast hashes (raw SHA-256). Against properly-slow KDFs (bcrypt cost 12+, scrypt, Argon2id), the same password is 10,000-100,000× harder to crack.

Entropy, briefly

Password strength is measured in bits of entropy. Each bit doubles the number of guesses an attacker needs. Rough guideposts:

• ≤ 40 bits: crackable in seconds. Don't use.
• 40-60 bits: crackable in hours to weeks at modern GPU speeds. Marginal.
• 60-80 bits: safe today against most attackers. Borderline as hardware improves.
• 80-100 bits: safe against well-resourced attackers for several years.
• 100+ bits: safe at any realistic attacker budget through the lifetime of the secret.

For machine credentials (API keys, service passwords): aim for 128 bits of entropy — typically a 22+ character random password from a 95-character alphabet. For human passwords protected by 2FA and a sensible KDF: 60+ bits suffices.

The tool only measures the password's information content, not what kind of attack it'll face. A 60-bit password protecting a bcrypt-hashed account is safe; the same 60-bit password protecting a raw-SHA-256-hashed account is in trouble.

Common use cases

• Sanity-checking a generated password before saving to a manager.
• Teaching: showing the gap between common patterns (Password123!) and actual random strings.
• Comparing a passphrase vs a random string at the same length.