Password Tester

Password Tester

Check password strength with entropy, estimated crack time, and dictionary checks — entirely in your browser.

🔒 100% client-side. Your password never leaves your browser.

Enter a password above to analyze its strength

Features

  • Real-time password strength analyzer using the zxcvbn library
  • Entropy calculation (bits) and estimated crack time
  • Pattern detection: keyboard walks, common words, dates, sequences
  • Detailed feedback explaining exactly why a password is weak
  • Strength score 0–4 with visual meter
  • All analysis is done client-side — passwords never leave the browser

Common Use Cases

  • Test and improve passwords before setting them on critical accounts
  • Understand what makes a password strong or weak
  • Implement a strength meter in your own web application
  • Train users on password security best practices
  • Evaluate the strength of passphrases vs. complex random strings

Password Strength Analysis

Password strength is determined by entropy — the number of bits of randomness, which determines how many guesses an attacker needs to crack it. A password with 40 bits of entropy requires 240 ≈ 1 trillion guesses.

Modern password crackers don't guess randomly — they use patterns: dictionary words, common substitutions (a→@, e→3), keyboard walks (qwerty, 12345), and leaked password databases. zxcvbn (the library powering this tool) was developed by Dropbox to model realistic attacker behavior, making its strength estimates far more accurate than simple "8 chars with numbers + symbols" rules.

A strong password is long and random — a 5-word passphrase (correct horse battery staple) is often stronger than a short complex password (P@s$w0rd!), because length beats complexity for entropy.

Examples

Invalid - Weak (common word)
password123  → Score 0, crack time: instantly
Invalid - Medium (short complex)
P@s$w0rd!  → Score 2, crack time: minutes
Valid - Strong (long random)
correct-horse-battery-staple  → Score 4, crack time: centuries

Frequently Asked Questions

Is a long passphrase better than a short complex password?

Usually yes. Entropy = log2(character set size) × length. A 20-character passphrase of common words has lower entropy per character but much higher entropy overall due to length. The passphrase is also far easier to memorize. NIST SP 800-63B recommends focusing on length rather than complexity rules.

What is the zxcvbn library?

zxcvbn was developed by Dropbox to measure password strength the way attackers think. Instead of just checking for uppercase/numbers/symbols, it uses pattern matching (dictionary lookup, date detection, keyboard sequences, l33t speak), scoring on realistic crack time rather than arbitrary rules.

Is it safe to paste my password here?

Yes. All analysis is performed client-side using JavaScript — your password is never sent over the network or stored. You can verify this by checking the Network tab in browser DevTools while typing your password.

What are password managers and should I use one?

Password managers (Bitwarden, 1Password, Dashlane) generate and store unique, random passwords for every account. This completely eliminates password reuse — the #1 cause of account takeovers. A strong master password + a password manager is the gold standard for personal password security.

💡 Tips

  • Use a password manager to generate unique 20+ character random passwords for every account — never reuse passwords.
  • A 4–5 word passphrase is often stronger and far more memorable than an 8-character complex password.
  • Enable multi-factor authentication (MFA) on all important accounts — even a weak password becomes much harder to exploit with MFA.
  • Check if your email has appeared in known data breaches using haveibeenpwned.com — change passwords for breached accounts immediately.