Zero Snippet

Password strength meter online — entropy in bits, crack-time brackets, and practical hardening guidance

Use this free password strength checker to estimate information entropy from your passphrase length and character mix, then compare illustrative crack times for throttled online logins versus fast offline guessing. The meter flags keyboard walks, sequential digits, repeats, and a handful of extremely common passwords so you can iterate before you commit a secret to a password manager. Type directly in the box, use Upload .txt (upload icon) to pull the first non-empty line from a local UTF-8 file, and click Copy report (copy icon) to grab a plaintext summary for tickets or runbooks. All scoring runs in your browser. When you need a fresh random secret, open the password generator or explore more utilities under security and encryption tools on the home page.

Password strength meter

Type a candidate password or load the first line from a UTF-8 text file. Everything runs locally—nothing is sent to our servers.

StrengthEnter a password
Charset size (approx.)
Entropy (adjusted bits)

Crack time (rough)

Modeled as brute-force guesses divided by three attack speeds. Real attacks often start with dictionaries and leaks.

  • Throttled online (~1k/s)
  • Fast offline (~1e9/s)
  • Extreme (~1e12/s)

Why measure password strength with entropy and crack-time brackets?

Developers and security teams still need a quick way to explain why “P@ssw0rd!” is weaker than it looks. This page targets searches like password entropy calculator, check password strength online, and how long to crack my password with transparent math: we derive an approximate charset size from the character classes you actually use, multiply by length to estimate bits, then translate bits into guessed hashes divided by three attacker throughput levels. The result is not a guarantee—real breaches combine dictionary attacks, credential stuffing, and phishing—but it is a consistent teaching tool for RFCs, internal policies, and onboarding docs.

Pair this meter with storage-side protections: slow password hashes, unique salts, and rate limits on authentication endpoints. When you prototype how expensive verification should be, the hash generator helps compare digests for test vectors, and the catalog's security section lists bcrypt, AES, RSA, JWT, and header helpers as they ship—useful when you wire policies end to end.

How to use this password strength meter (step by step)

  1. Enter a candidate in the password field. Use the eye control to reveal or hide characters while you edit. Avoid reusing production secrets in screenshots; treat the field like a scratch pad.
  2. Alternatively, click Upload .txt to read the first non-empty line from a small local text file—handy when a generator wrote a line to disk and you do not want to paste through the clipboard.
  3. Read the strength bar, charset size, adjusted entropy in bits, and the three crack-time rows. Compare online throttling with offline GPU scenarios to understand why leaked hash databases hurt more than guessing over HTTP.
  4. Address any hardening tips, then regenerate if needed using the password generator. Click Copy report to paste a structured summary into design docs or compliance worksheets—still avoid posting live credentials in chat.

Entropy, patterns, and what this meter does not do

High charset diversity and length drive raw entropy; predictable structure reduces effective strength. We apply modest penalties for long keyboard runs, sequential digits, heavy character repetition, and a short blocklist of ubiquitous passwords. We do not call breach APIs or k-anonymity services—if you need breach awareness, use dedicated monitoring alongside this structural check.

Internal tools that pair with stronger passwords

After you pick a strong login secret, you might still validate transport and metadata: inspect responses with the HTTP header checker, preview social cards with the Open Graph preview, or extract tags using the meta tags extractor. For file workflows, the file hash utility helps verify artifacts you distribute with integrity checks.

Related security and encryption tools

More from the security and encryption tools section:

  • bcrypt Hash GeneratorGenerate bcrypt hashes with configurable cost for secure password storage testing.
  • AES Encrypt & DecryptEncrypt and decrypt text with AES-256 and a passphrase—runs fully in your browser.
  • RSA Key Pair GeneratorCreate 1024–4096 bit RSA public/private key pairs locally for demos and dev workflows.
  • CSP BuilderToggle Content-Security-Policy directives and copy a header value ready for your server.
  • Security Headers CheckerAnalyze security-related HTTP headers on any URL with graded guidance to harden responses.
  • JWT EncoderBuild HS256-signed JWTs from custom header and payload for API and auth testing.
  • HMAC GeneratorCreate HMAC-SHA256 or HMAC-SHA512 signatures with a secret for webhook and API verification.
  • SSL Certificate DecoderPaste PEM certificates to read subject, issuer, SANs, and validity windows.
  • .htaccess GeneratorAssemble common Apache .htaccess rules for redirects, HTTPS, caching, and access control.

Frequently asked questions

What is password entropy and why does this meter use it?
Entropy measures unpredictability in bits. This tool estimates bits from your password length and the mix of character classes (lowercase, uppercase, digits, symbols, and non-ASCII). Higher entropy usually means more guesses for a brute-force attacker. We also apply small penalties for patterns like keyboard walks, long digit runs, and known weak passwords—similar in spirit to strength meters in browsers, but with transparent numbers you can reason about.
How accurate are crack-time estimates?
They are illustrative only. Real attackers use dictionaries, credential stuffing, phishing, and GPU farms—not pure brute force alone. The three rates (about 1,000 guesses per second for throttled online attacks, 1 billion per second for strong offline hashing, and 1 trillion per second for an extreme scenario) bracket common discussions in security literature. Actual risk depends on how your service hashes passwords (bcrypt, Argon2, scrypt), peppering, rate limits, and whether the hash leaked. Tune work factors for your stack using vendor docs and test environments.
Does this tool upload my password to your servers?
No. Analysis runs entirely in your browser after the page loads. Nothing you type is transmitted to us for scoring. For generating new random secrets without typing patterns, use the password generator in the Developer tools section.
Why might a long passphrase still show a warning?
Length helps, but predictable structure does not. Famous lyrics, sports teams, and keyboard paths can appear in attacker wordlists even when they are long. A random sentence of unrelated words (a correct horse battery staple style) or a random string from a generator is usually safer than a clever phrase people might guess.
What length and complexity should I use for important accounts?
Prefer unique, long secrets per site—often 16 characters or more for web passwords, stored in a password manager. Enable multi-factor authentication wherever offered. For API keys and encryption passphrases, follow vendor guidance. When you need symmetric crypto helpers, browse the Security & Encryption tools section on the home page for AES and related utilities as they are published.
How is this different from Have I Been Pwned or breach checks?
This page scores structure and entropy locally. It does not query breach databases. Even a strong-looking password is unsafe if it was reused on a site that leaked hashes. Use unique passwords per service and monitor breaches separately.