Password Strength Checker

Analyze the strength and security of your passwords with detailed feedback.

Privacy Note: Your password is analyzed locally in your browser and is never sent to any server.

What Is Password Strength and Why Does It Matter?

Password strength is a measure of how difficult it is for an attacker to guess or crack a password through automated means. A strong password resists dictionary attacks, brute-force attempts, and pattern-matching techniques that modern cracking tools use at billions of guesses per second. Understanding what makes a password strong — and being able to measure it objectively — is one of the most practical steps you can take to improve your personal and organizational security.

Weak passwords are the most common vector for unauthorized account access. Data breach analyses consistently show that huge proportions of compromised accounts used passwords like "123456", "password", "qwerty", or simple first-name combinations. These passwords are cracked in milliseconds using freely available wordlists. Even slightly more complex passwords that rely on predictable patterns — replacing "a" with "@", appending "1" to a word — offer little resistance against modern attacks that specifically account for these substitutions.

This password strength checker evaluates your password across nine distinct criteria, then calculates two key security metrics: entropy (measuring unpredictability in bits) and an estimated crack time assuming an attacker makes 10 billion guesses per second — a realistic speed for offline attacks using dedicated hardware. Together these metrics give you a quantitative picture of your password's real-world security, not just a vague color rating.

The tool runs entirely in your browser. Your password is never transmitted to any server, never logged, and never stored. Every calculation is performed locally using JavaScript, making this a safe tool to use even for real passwords you rely on.

How the Password Score Is Calculated

The password strength score is a point-based system that awards points for meeting each of nine distinct security criteria. Points accumulate up to a maximum of 100. The final score is mapped to one of five strength labels: Very Weak (0–29), Weak (30–49), Fair (50–69), Strong (70–84), and Very Strong (85–100).

The nine criteria and their point values are:

Criterion Points Awarded Why It Matters
Length ≥ 8 characters +10 Minimum baseline length; below this, brute-force is trivial
Length ≥ 12 characters +10 Each extra character multiplies the search space exponentially
Length ≥ 16 characters +10 NIST recommends 16+ characters for high-security accounts
Contains lowercase letters (a–z) +10 Adds 26 characters to the effective alphabet
Contains uppercase letters (A–Z) +10 Adds another 26 characters; case-mixing resists simple wordlists
Contains digits (0–9) +10 Adds 10 characters; required by most password policies
Contains special characters (!@#$…) +15 Adds ~32 characters; highest single-criterion bonus for its impact on search space
No repeated character runs (3+) +10 Patterns like "aaa" or "111" dramatically reduce effective entropy
No common patterns (password, 123456…) +15 Blacklisted substrings appear in every attacker's dictionary

The maximum achievable score is 100. A password meeting all nine criteria receives full marks. Strength thresholds are: scores 0–29 are Very Weak, 30–49 are Weak, 50–69 are Fair, 70–84 are Strong, and 85–100 are Very Strong. Both the "no repeated characters" check and the "no common patterns" check are penalty-avoidance criteria — you earn points by not having these problems rather than by adding something new.

Password Score Formula

score = Σ(criterion_points) where max = 100; label = "Very Weak" if score<30, "Weak" if <50, "Fair" if <70, "Strong" if <85, else "Very Strong"

Where:

  • length ≥ 8= +10 points if password has at least 8 characters
  • length ≥ 12= +10 points if password has at least 12 characters (cumulative with ≥8)
  • length ≥ 16= +10 points if password has at least 16 characters (cumulative)
  • hasLower= +10 points if password contains at least one lowercase letter (a–z)
  • hasUpper= +10 points if password contains at least one uppercase letter (A–Z)
  • hasNumbers= +10 points if password contains at least one digit (0–9)
  • hasSymbols= +15 points if password contains at least one character outside a–z, A–Z, 0–9
  • noRepeats= +10 points if the password contains no character repeated 3 or more times consecutively
  • noCommon= +15 points if the password does not contain any of the blacklisted substrings (123456, password, qwerty, abc123, letmein, admin, welcome)

Understanding Entropy and Crack Time

Beyond the score, this password strength checker computes two quantitative security metrics: entropy and estimated crack time. These numbers give you a direct, math-based view of how unpredictable your password is and how long it would take a powerful attacker to guess it.

Entropy is measured in bits and represents the theoretical unpredictability of the password given the character sets it uses. It is calculated as:

entropy = ⌊ length × log₂(charsetSize) ⌋

where charsetSize is the total number of distinct characters available based on which character pools your password draws from: lowercase letters add 26, uppercase letters add 26, digits add 10, and special characters add 32. A password using all four pools has a charsetSize of 94. Entropy measures the size of the search space an attacker must cover — every additional bit of entropy doubles the number of possible passwords.

As a practical guide: passwords with fewer than 40 bits of entropy are considered weak against offline attacks; 60–80 bits provides reasonable medium-term protection; 80+ bits is strong against even future hardware advances.

Crack time estimates how long a brute-force attack would take, assuming 10 billion (1010) guesses per second — a realistic speed for a dedicated offline attack using modern GPU hardware. The formula is:

seconds = charsetSizelength ÷ 10,000,000,000 ÷ 2

The division by 2 reflects that an attacker on average finds the password halfway through an exhaustive search. The result is expressed in the most human-readable unit: seconds, minutes, hours, days, months, years, or "Centuries+" when the estimate exceeds roughly 100 years. Crack time grows exponentially with both password length and charset size, which is why adding just a few more characters or one more character type can shift the estimate from days to centuries.

Character Sets, Search Space, and Why They Matter

One of the most counterintuitive aspects of password security is how dramatically the choice of character set affects resistance to attack. The search space — the total number of possible passwords an attacker must check — grows as charsetSizelength. This exponential relationship means that small increases in either the charset or the length produce huge improvements in security.

Consider a 10-character password. If it uses only lowercase letters (charset 26), the search space is 2610 ≈ 141 trillion combinations. If you add uppercase letters (charset 52), the search space becomes 5210 ≈ 145 quadrillion — about 1,000 times larger. Add digits (charset 62) and you reach 6210 ≈ 839 quadrillion. Include special characters (charset 94) and the space expands to 9410 ≈ 54 quintillion. All from the same 10-character password, just by expanding the character pool.

Length has an even more dramatic effect because it is the exponent. Moving from 10 to 12 characters with a full 94-character set increases the search space by a factor of 942 = 8,836. Moving from 10 to 16 characters multiplies the space by 946 ≈ 689 billion. This is why security guidelines consistently emphasize length as the single most impactful factor in password strength.

This is also why "character substitution" rules — like replacing "e" with "3" or "a" with "@" — provide far less protection than they appear to. Attackers' tools apply these transformations automatically. A truly strong password uses genuine randomness across a wide character set, not a predictable transformation of a dictionary word.

The checker categorizes your character pools automatically: it detects if you have used at least one lowercase letter, one uppercase letter, one digit, and one symbol. Use all four pools and you unlock the full 94-character charset, which gives the most entropy per character of any commonly available character set.

Common Password Mistakes and How to Avoid Them

Understanding what the password strength checker flags as problems is the first step toward building better password habits. The most common mistakes fall into a handful of predictable categories that attackers exploit first.

Using common words and patterns. The checker tests for substrings like "password", "123456", "qwerty", "abc123", "letmein", "admin", and "welcome". These appear in every public breach wordlist and are tested in the first fraction of a second of any dictionary attack. Including any of these as part of your password — even wrapped in other characters — eliminates 15 points from your score and gives attackers a huge shortcut.

Relying on length alone. A 16-character password made entirely of lowercase letters like "abcdefghijklmnop" scores points for length but fails to use uppercase, numbers, or symbols. Each missing character type reduces the charset and thus the entropy and crack time. A 16-character lowercase-only password (charset 26) has entropy of ⌊16 × 4.70⌋ = 75 bits — decent, but a 12-character all-four-pools password has entropy of ⌊12 × 6.55⌋ = 78 bits and benefits from much greater per-character unpredictability.

Repeated characters. Passwords containing runs of three or more identical characters (like "aaa", "111", or "!!!") reduce effective entropy. The checker's regular expression /(.)\1{2,}/ detects these patterns and deducts 10 points. Real-world cracking tools specifically probe repeated-character patterns early in their runs.

Using the same password across multiple sites. Even a Very Strong password becomes a liability when reused, because a breach at one site exposes it at every other site. The solution is a password manager that generates and stores unique strong passwords for every account — reducing the burden on human memory while increasing security across the board.

Short passwords with symbol substitutions. "P@ss1!" is 6 characters. Despite using all four character pools, it scores Very Weak because it falls far short of the minimum length thresholds and the crack time at full charset is still only a matter of hours on modern hardware. Length and diversity work together — you need both.

Best Practices for Creating Strong Passwords

Consistently creating passwords that score Strong or Very Strong on the checker is straightforward once you understand the criteria. The following practices address each of the nine scored criteria and align with current guidance from NIST, OWASP, and major security researchers.

Prioritize length above all else. Aim for at least 16 characters for any important account. Length is the most powerful lever in the strength formula because it is the exponent in the search space calculation. A 16-character password with all four character pools achieves Very Strong status (entropy ≈ 104 bits, crack time in the centuries) even before considering other factors.

Use all four character pools. Include at least one lowercase letter, one uppercase letter, one digit, and one special character. This maximizes your charset to 94 and earns you 45 of the possible 100 score points from character-type criteria alone. Avoid putting the uppercase letter only at the start or the number/symbol only at the end — spread them throughout.

Avoid predictable patterns and common words. Don't start with a capitalized word, don't end with a digit or year, and don't include dictionary words — even with obvious substitutions. Consider using a random passphrase of 4–5 unrelated words (like XKCD-style passwords) or a fully random string generated by a password manager.

Use a password manager. Tools like Bitwarden, 1Password, or KeePass generate cryptographically random passwords of any length and character set, store them securely, and fill them in automatically. This removes the human tendency to create memorable — and therefore guessable — passwords.

Enable multi-factor authentication (MFA). Even the strongest password can be phished or leaked in a breach. MFA adds a second verification step — a time-based code, hardware key, or biometric — that protects your account even if your password is compromised. MFA and strong passwords together form the baseline of modern account security.

Worked Examples

Very Weak: "hello" (5 lowercase characters)

Problem:

Evaluate the password "hello" — 5 lowercase characters, no uppercase, no digits, no symbols.

Solution Steps:

  1. 1Length checks: 5 < 8 (fail, +0), 5 < 12 (fail, +0), 5 < 16 (fail, +0).
  2. 2Character types: hasLower = true (+10); hasUpper = false (+0); hasNumbers = false (+0); hasSymbols = false (+0).
  3. 3Pattern checks: no 3+ consecutive repeated characters → +10; "hello" does not contain any of the blacklisted substrings → +15.
  4. 4Total score = 0 + 0 + 0 + 10 + 0 + 0 + 0 + 10 + 15 = 35 → Weak (30–49).
  5. 5charsetSize = 26 (lowercase only). Entropy = ⌊5 × log₂(26)⌋ = ⌊5 × 4.700⌋ = ⌊23.50⌋ = 23 bits.
  6. 6Crack time: 26⁵ = 11,881,376 combinations ÷ 10,000,000,000 ÷ 2 ≈ 0.00000059 seconds → Instant.

Result:

Score: 35 (Weak). Entropy: 23 bits. Crack time: Instant. Too short and uses only one character pool — this password offers no meaningful protection.

Strong: "Myp@ss12" (8 chars, all four pools)

Problem:

Evaluate "Myp@ss12" — 8 characters using lowercase, uppercase, digits, and a special character.

Solution Steps:

  1. 1Length checks: 8 ≥ 8 (+10); 8 < 12 (fail); 8 < 16 (fail).
  2. 2Character types: hasLower = true (+10); hasUpper = true (+10); hasNumbers = true (+10); hasSymbols = true, "@" is not alphanumeric (+15).
  3. 3Pattern checks: "ss" repeats twice but not three times — /(.)\1{2,}/ does not match → +10. "myp@ss12" contains none of the blacklisted substrings → +15.
  4. 4Total score = 10 + 10 + 10 + 10 + 15 + 10 + 15 = 80 → Strong (70–84).
  5. 5charsetSize = 26 + 26 + 10 + 32 = 94. Entropy = ⌊8 × log₂(94)⌋ = ⌊8 × 6.555⌋ = ⌊52.44⌋ = 52 bits.
  6. 6Crack time: 94⁸ ≈ 6.096 × 10¹⁵ ÷ 10,000,000,000 ÷ 2 ≈ 304,800 seconds ÷ 86,400 ≈ 3.53 → 4 days.

Result:

Score: 80 (Strong). Entropy: 52 bits. Crack time: ~4 days. Good diversity but short length keeps the crack time relatively low — extending to 12+ characters would push this to Very Strong.

Very Strong: "Tr0ub4dor&3!" (12 chars, all four pools, no common patterns)

Problem:

Evaluate "Tr0ub4dor&3!" — 12 characters with mixed case, digits, and symbols, no common substrings.

Solution Steps:

  1. 1Length checks: 12 ≥ 8 (+10); 12 ≥ 12 (+10); 12 < 16 (fail, +0).
  2. 2Character types: hasLower = true (+10); hasUpper = true (+10); hasNumbers = true (+10); hasSymbols = true, "&" and "!" are non-alphanumeric (+15).
  3. 3Pattern checks: no character repeats 3+ times consecutively → +10. "tr0ub4dor&3!" (lowercased) contains none of the blacklisted substrings → +15.
  4. 4Total score = 10 + 10 + 10 + 10 + 10 + 15 + 10 + 15 = 90 → Very Strong (≥ 85).
  5. 5charsetSize = 26 + 26 + 10 + 32 = 94. Entropy = ⌊12 × log₂(94)⌋ = ⌊12 × 6.555⌋ = ⌊78.66⌋ = 78 bits.
  6. 6Crack time: 94¹² ≈ 4.76 × 10²³ ÷ 10,000,000,000 ÷ 2 ≈ 2.38 × 10¹³ seconds, far exceeding 3,153,600,000 (≈100 years) → Centuries+.

Result:

Score: 90 (Very Strong). Entropy: 78 bits. Crack time: Centuries+. This password meets all achievable criteria for a 12-character password and is effectively uncrackable by brute force.

Tips & Best Practices

  • Aim for at least 16 characters — length is the single most powerful factor since search space grows as charsetSize raised to the power of length.
  • Use all four character pools (lowercase, uppercase, digits, special characters) to maximize your charset to 94 and earn the highest entropy per character.
  • Avoid dictionary words, even with obvious substitutions like @ for a or 3 for e — modern cracking tools apply these transformations automatically.
  • Do not reuse passwords across sites; a breach at one site exposes every account where you used the same password.
  • Use a password manager (Bitwarden, 1Password, KeePass) to generate and store cryptographically random unique passwords for every account.
  • Enable multi-factor authentication on all important accounts — even a strong password can be phished or leaked in a database breach.
  • Check your passwords against breach databases at haveibeenpwned.com — a password may be technically strong yet already appear in publicly available breach wordlists.
  • Avoid including your name, birthdate, pet name, or other personal information — attackers who target you specifically will try these first.
  • Random passphrases of 4–5 unrelated words (Diceware method) combine high entropy with memorability — a strong alternative to fully random strings.

Frequently Asked Questions

No — this password strength checker runs entirely in your browser using JavaScript. Your password never leaves your device and is never transmitted to any server, logged, or stored anywhere. The analysis is performed locally the moment you type, with no network requests involved. You can safely use this tool with real passwords you rely on.
Entropy measures password unpredictability in bits. An entropy of N bits means an attacker needs to test up to 2ᴺ password candidates to guarantee finding yours. Each additional bit of entropy doubles the search space. Practically: under 40 bits is very weak, 50–60 bits is moderate, 70–80 bits is strong, and 80+ bits is considered highly resistant to brute force even with future hardware. Entropy depends on both password length and the size of the character set you draw from — using all four character pools (lowercase, uppercase, digits, symbols) maximizes entropy per character.
Ten billion (10¹⁰) guesses per second represents a realistic offline attack speed using modern GPU hardware against an unprotected hash. In real-world scenarios, crack speed varies enormously depending on whether the attacker has your hashed password (offline) or must guess online, and on which hash function was used (bcrypt at cost 10 drops this to roughly 150,000 guesses per second). The 10 billion figure is intentionally pessimistic — it represents a worst-case offline scenario — so if your password shows "Centuries+" at this speed, it is extremely resistant to brute-force attacks in practice.
Score and crack time measure different things. The score rewards meeting each of nine qualitative criteria, while crack time is purely mathematical, based on charsetSize raised to the power of length. A short password (say 8 characters) that uses all four character types and avoids patterns can score 80 (Strong) while still having a crack time of only a few days — because 94⁸ combinations is a finite, small-ish number at 10 billion guesses per second. Adding more characters dramatically increases crack time even if the score is already high: a 16-character password with the same diversity pushes crack time to centuries.
The checker tests whether your password (converted to lowercase) contains any of seven blacklisted substrings: "123456", "password", "qwerty", "abc123", "letmein", "admin", and "welcome". These appear at the top of virtually every breach-derived password list and are the first strings tested by any dictionary attack. If your password contains any of these as a substring — even in the middle — it fails this check and loses 15 points. For a more comprehensive analysis, consider using a tool that checks against larger breach databases like Have I Been Pwned.
Passphrases — sequences of several random unrelated words like "correct-horse-battery-staple" — can be both strong and memorable. A 5-word passphrase from a 7,776-word Diceware list has about 64 bits of entropy, roughly equivalent to a random 11-character mixed-case alphanumeric password. In this checker, a passphrase will score well if it is long enough (gains points for length tiers), avoids the common-substring blacklist, and contains varied characters. If you add a digit and symbol, it can easily reach Very Strong. The trade-off versus a fully random password is that passphrases are slightly more predictable if the attacker knows you used a word-based approach.
No password strength checker can guarantee security — it can only evaluate the mathematical properties of the password itself. Real security also depends on factors outside the checker's scope: whether you reuse the password across sites, whether the site stores it securely (using bcrypt, Argon2, etc.), whether you fall for phishing, and whether you have multi-factor authentication enabled. A Very Strong score here means the password is highly resistant to automated guessing attacks, but it is one layer of security, not the whole picture.

Sources & References

Last updated: 2026-06-05

💡

Help us improve!

How would you rate the Password Strength Checker?

<>

Editorial Note

MyCalcBuddy Editorial Team

This page is maintained as an educational calculator reference.

Source

Formula Source: Standard Mathematical References

by Various

UpdatedLast reviewed: May 2026
CheckedFormula checks are based on standard references and internal QA review.