Password Strength Checker
Analyze the strength and security of your passwords with detailed feedback.
Privacy Note: Your password is analyzed locally in your browser and is never sent to any server.
What Is Password Strength and Why Does It Matter?
Password strength is a measure of how difficult it is for an attacker to guess or crack a password through automated means. A strong password resists dictionary attacks, brute-force attempts, and pattern-matching techniques that modern cracking tools use at billions of guesses per second. Understanding what makes a password strong — and being able to measure it objectively — is one of the most practical steps you can take to improve your personal and organizational security.
Weak passwords are the most common vector for unauthorized account access. Data breach analyses consistently show that huge proportions of compromised accounts used passwords like "123456", "password", "qwerty", or simple first-name combinations. These passwords are cracked in milliseconds using freely available wordlists. Even slightly more complex passwords that rely on predictable patterns — replacing "a" with "@", appending "1" to a word — offer little resistance against modern attacks that specifically account for these substitutions.
This password strength checker evaluates your password across nine distinct criteria, then calculates two key security metrics: entropy (measuring unpredictability in bits) and an estimated crack time assuming an attacker makes 10 billion guesses per second — a realistic speed for offline attacks using dedicated hardware. Together these metrics give you a quantitative picture of your password's real-world security, not just a vague color rating.
The tool runs entirely in your browser. Your password is never transmitted to any server, never logged, and never stored. Every calculation is performed locally using JavaScript, making this a safe tool to use even for real passwords you rely on.
How the Password Score Is Calculated
The password strength score is a point-based system that awards points for meeting each of nine distinct security criteria. Points accumulate up to a maximum of 100. The final score is mapped to one of five strength labels: Very Weak (0–29), Weak (30–49), Fair (50–69), Strong (70–84), and Very Strong (85–100).
The nine criteria and their point values are:
| Criterion | Points Awarded | Why It Matters |
|---|---|---|
| Length ≥ 8 characters | +10 | Minimum baseline length; below this, brute-force is trivial |
| Length ≥ 12 characters | +10 | Each extra character multiplies the search space exponentially |
| Length ≥ 16 characters | +10 | NIST recommends 16+ characters for high-security accounts |
| Contains lowercase letters (a–z) | +10 | Adds 26 characters to the effective alphabet |
| Contains uppercase letters (A–Z) | +10 | Adds another 26 characters; case-mixing resists simple wordlists |
| Contains digits (0–9) | +10 | Adds 10 characters; required by most password policies |
| Contains special characters (!@#$…) | +15 | Adds ~32 characters; highest single-criterion bonus for its impact on search space |
| No repeated character runs (3+) | +10 | Patterns like "aaa" or "111" dramatically reduce effective entropy |
| No common patterns (password, 123456…) | +15 | Blacklisted substrings appear in every attacker's dictionary |
The maximum achievable score is 100. A password meeting all nine criteria receives full marks. Strength thresholds are: scores 0–29 are Very Weak, 30–49 are Weak, 50–69 are Fair, 70–84 are Strong, and 85–100 are Very Strong. Both the "no repeated characters" check and the "no common patterns" check are penalty-avoidance criteria — you earn points by not having these problems rather than by adding something new.
Password Score Formula
Where:
- length ≥ 8= +10 points if password has at least 8 characters
- length ≥ 12= +10 points if password has at least 12 characters (cumulative with ≥8)
- length ≥ 16= +10 points if password has at least 16 characters (cumulative)
- hasLower= +10 points if password contains at least one lowercase letter (a–z)
- hasUpper= +10 points if password contains at least one uppercase letter (A–Z)
- hasNumbers= +10 points if password contains at least one digit (0–9)
- hasSymbols= +15 points if password contains at least one character outside a–z, A–Z, 0–9
- noRepeats= +10 points if the password contains no character repeated 3 or more times consecutively
- noCommon= +15 points if the password does not contain any of the blacklisted substrings (123456, password, qwerty, abc123, letmein, admin, welcome)
Understanding Entropy and Crack Time
Beyond the score, this password strength checker computes two quantitative security metrics: entropy and estimated crack time. These numbers give you a direct, math-based view of how unpredictable your password is and how long it would take a powerful attacker to guess it.
Entropy is measured in bits and represents the theoretical unpredictability of the password given the character sets it uses. It is calculated as:
entropy = ⌊ length × log₂(charsetSize) ⌋
where charsetSize is the total number of distinct characters available based on which character pools your password draws from: lowercase letters add 26, uppercase letters add 26, digits add 10, and special characters add 32. A password using all four pools has a charsetSize of 94. Entropy measures the size of the search space an attacker must cover — every additional bit of entropy doubles the number of possible passwords.
As a practical guide: passwords with fewer than 40 bits of entropy are considered weak against offline attacks; 60–80 bits provides reasonable medium-term protection; 80+ bits is strong against even future hardware advances.
Crack time estimates how long a brute-force attack would take, assuming 10 billion (1010) guesses per second — a realistic speed for a dedicated offline attack using modern GPU hardware. The formula is:
seconds = charsetSizelength ÷ 10,000,000,000 ÷ 2
The division by 2 reflects that an attacker on average finds the password halfway through an exhaustive search. The result is expressed in the most human-readable unit: seconds, minutes, hours, days, months, years, or "Centuries+" when the estimate exceeds roughly 100 years. Crack time grows exponentially with both password length and charset size, which is why adding just a few more characters or one more character type can shift the estimate from days to centuries.
Character Sets, Search Space, and Why They Matter
One of the most counterintuitive aspects of password security is how dramatically the choice of character set affects resistance to attack. The search space — the total number of possible passwords an attacker must check — grows as charsetSizelength. This exponential relationship means that small increases in either the charset or the length produce huge improvements in security.
Consider a 10-character password. If it uses only lowercase letters (charset 26), the search space is 2610 ≈ 141 trillion combinations. If you add uppercase letters (charset 52), the search space becomes 5210 ≈ 145 quadrillion — about 1,000 times larger. Add digits (charset 62) and you reach 6210 ≈ 839 quadrillion. Include special characters (charset 94) and the space expands to 9410 ≈ 54 quintillion. All from the same 10-character password, just by expanding the character pool.
Length has an even more dramatic effect because it is the exponent. Moving from 10 to 12 characters with a full 94-character set increases the search space by a factor of 942 = 8,836. Moving from 10 to 16 characters multiplies the space by 946 ≈ 689 billion. This is why security guidelines consistently emphasize length as the single most impactful factor in password strength.
This is also why "character substitution" rules — like replacing "e" with "3" or "a" with "@" — provide far less protection than they appear to. Attackers' tools apply these transformations automatically. A truly strong password uses genuine randomness across a wide character set, not a predictable transformation of a dictionary word.
The checker categorizes your character pools automatically: it detects if you have used at least one lowercase letter, one uppercase letter, one digit, and one symbol. Use all four pools and you unlock the full 94-character charset, which gives the most entropy per character of any commonly available character set.
Common Password Mistakes and How to Avoid Them
Understanding what the password strength checker flags as problems is the first step toward building better password habits. The most common mistakes fall into a handful of predictable categories that attackers exploit first.
Using common words and patterns. The checker tests for substrings like "password", "123456", "qwerty", "abc123", "letmein", "admin", and "welcome". These appear in every public breach wordlist and are tested in the first fraction of a second of any dictionary attack. Including any of these as part of your password — even wrapped in other characters — eliminates 15 points from your score and gives attackers a huge shortcut.
Relying on length alone. A 16-character password made entirely of lowercase letters like "abcdefghijklmnop" scores points for length but fails to use uppercase, numbers, or symbols. Each missing character type reduces the charset and thus the entropy and crack time. A 16-character lowercase-only password (charset 26) has entropy of ⌊16 × 4.70⌋ = 75 bits — decent, but a 12-character all-four-pools password has entropy of ⌊12 × 6.55⌋ = 78 bits and benefits from much greater per-character unpredictability.
Repeated characters. Passwords containing runs of three or more identical characters (like "aaa", "111", or "!!!") reduce effective entropy. The checker's regular expression /(.)\1{2,}/ detects these patterns and deducts 10 points. Real-world cracking tools specifically probe repeated-character patterns early in their runs.
Using the same password across multiple sites. Even a Very Strong password becomes a liability when reused, because a breach at one site exposes it at every other site. The solution is a password manager that generates and stores unique strong passwords for every account — reducing the burden on human memory while increasing security across the board.
Short passwords with symbol substitutions. "P@ss1!" is 6 characters. Despite using all four character pools, it scores Very Weak because it falls far short of the minimum length thresholds and the crack time at full charset is still only a matter of hours on modern hardware. Length and diversity work together — you need both.
Best Practices for Creating Strong Passwords
Consistently creating passwords that score Strong or Very Strong on the checker is straightforward once you understand the criteria. The following practices address each of the nine scored criteria and align with current guidance from NIST, OWASP, and major security researchers.
Prioritize length above all else. Aim for at least 16 characters for any important account. Length is the most powerful lever in the strength formula because it is the exponent in the search space calculation. A 16-character password with all four character pools achieves Very Strong status (entropy ≈ 104 bits, crack time in the centuries) even before considering other factors.
Use all four character pools. Include at least one lowercase letter, one uppercase letter, one digit, and one special character. This maximizes your charset to 94 and earns you 45 of the possible 100 score points from character-type criteria alone. Avoid putting the uppercase letter only at the start or the number/symbol only at the end — spread them throughout.
Avoid predictable patterns and common words. Don't start with a capitalized word, don't end with a digit or year, and don't include dictionary words — even with obvious substitutions. Consider using a random passphrase of 4–5 unrelated words (like XKCD-style passwords) or a fully random string generated by a password manager.
Use a password manager. Tools like Bitwarden, 1Password, or KeePass generate cryptographically random passwords of any length and character set, store them securely, and fill them in automatically. This removes the human tendency to create memorable — and therefore guessable — passwords.
Enable multi-factor authentication (MFA). Even the strongest password can be phished or leaked in a breach. MFA adds a second verification step — a time-based code, hardware key, or biometric — that protects your account even if your password is compromised. MFA and strong passwords together form the baseline of modern account security.
Worked Examples
Very Weak: "hello" (5 lowercase characters)
Problem:
Evaluate the password "hello" — 5 lowercase characters, no uppercase, no digits, no symbols.
Solution Steps:
- 1Length checks: 5 < 8 (fail, +0), 5 < 12 (fail, +0), 5 < 16 (fail, +0).
- 2Character types: hasLower = true (+10); hasUpper = false (+0); hasNumbers = false (+0); hasSymbols = false (+0).
- 3Pattern checks: no 3+ consecutive repeated characters → +10; "hello" does not contain any of the blacklisted substrings → +15.
- 4Total score = 0 + 0 + 0 + 10 + 0 + 0 + 0 + 10 + 15 = 35 → Weak (30–49).
- 5charsetSize = 26 (lowercase only). Entropy = ⌊5 × log₂(26)⌋ = ⌊5 × 4.700⌋ = ⌊23.50⌋ = 23 bits.
- 6Crack time: 26⁵ = 11,881,376 combinations ÷ 10,000,000,000 ÷ 2 ≈ 0.00000059 seconds → Instant.
Result:
Score: 35 (Weak). Entropy: 23 bits. Crack time: Instant. Too short and uses only one character pool — this password offers no meaningful protection.
Strong: "Myp@ss12" (8 chars, all four pools)
Problem:
Evaluate "Myp@ss12" — 8 characters using lowercase, uppercase, digits, and a special character.
Solution Steps:
- 1Length checks: 8 ≥ 8 (+10); 8 < 12 (fail); 8 < 16 (fail).
- 2Character types: hasLower = true (+10); hasUpper = true (+10); hasNumbers = true (+10); hasSymbols = true, "@" is not alphanumeric (+15).
- 3Pattern checks: "ss" repeats twice but not three times — /(.)\1{2,}/ does not match → +10. "myp@ss12" contains none of the blacklisted substrings → +15.
- 4Total score = 10 + 10 + 10 + 10 + 15 + 10 + 15 = 80 → Strong (70–84).
- 5charsetSize = 26 + 26 + 10 + 32 = 94. Entropy = ⌊8 × log₂(94)⌋ = ⌊8 × 6.555⌋ = ⌊52.44⌋ = 52 bits.
- 6Crack time: 94⁸ ≈ 6.096 × 10¹⁵ ÷ 10,000,000,000 ÷ 2 ≈ 304,800 seconds ÷ 86,400 ≈ 3.53 → 4 days.
Result:
Score: 80 (Strong). Entropy: 52 bits. Crack time: ~4 days. Good diversity but short length keeps the crack time relatively low — extending to 12+ characters would push this to Very Strong.
Very Strong: "Tr0ub4dor&3!" (12 chars, all four pools, no common patterns)
Problem:
Evaluate "Tr0ub4dor&3!" — 12 characters with mixed case, digits, and symbols, no common substrings.
Solution Steps:
- 1Length checks: 12 ≥ 8 (+10); 12 ≥ 12 (+10); 12 < 16 (fail, +0).
- 2Character types: hasLower = true (+10); hasUpper = true (+10); hasNumbers = true (+10); hasSymbols = true, "&" and "!" are non-alphanumeric (+15).
- 3Pattern checks: no character repeats 3+ times consecutively → +10. "tr0ub4dor&3!" (lowercased) contains none of the blacklisted substrings → +15.
- 4Total score = 10 + 10 + 10 + 10 + 10 + 15 + 10 + 15 = 90 → Very Strong (≥ 85).
- 5charsetSize = 26 + 26 + 10 + 32 = 94. Entropy = ⌊12 × log₂(94)⌋ = ⌊12 × 6.555⌋ = ⌊78.66⌋ = 78 bits.
- 6Crack time: 94¹² ≈ 4.76 × 10²³ ÷ 10,000,000,000 ÷ 2 ≈ 2.38 × 10¹³ seconds, far exceeding 3,153,600,000 (≈100 years) → Centuries+.
Result:
Score: 90 (Very Strong). Entropy: 78 bits. Crack time: Centuries+. This password meets all achievable criteria for a 12-character password and is effectively uncrackable by brute force.
Tips & Best Practices
- ✓Aim for at least 16 characters — length is the single most powerful factor since search space grows as charsetSize raised to the power of length.
- ✓Use all four character pools (lowercase, uppercase, digits, special characters) to maximize your charset to 94 and earn the highest entropy per character.
- ✓Avoid dictionary words, even with obvious substitutions like @ for a or 3 for e — modern cracking tools apply these transformations automatically.
- ✓Do not reuse passwords across sites; a breach at one site exposes every account where you used the same password.
- ✓Use a password manager (Bitwarden, 1Password, KeePass) to generate and store cryptographically random unique passwords for every account.
- ✓Enable multi-factor authentication on all important accounts — even a strong password can be phished or leaked in a database breach.
- ✓Check your passwords against breach databases at haveibeenpwned.com — a password may be technically strong yet already appear in publicly available breach wordlists.
- ✓Avoid including your name, birthdate, pet name, or other personal information — attackers who target you specifically will try these first.
- ✓Random passphrases of 4–5 unrelated words (Diceware method) combine high entropy with memorability — a strong alternative to fully random strings.
Frequently Asked Questions
Sources & References
- NIST SP 800-63B — Digital Identity Guidelines: Authentication and Lifecycle Management (2020)
- OWASP Authentication Cheat Sheet — Password Strength (2024)
- Wikipedia — Password Strength (2024)
- Dropbox Tech Blog — zxcvbn: realistic password strength estimation (2012)
- Have I Been Pwned — Pwned Passwords (2024)
Last updated: 2026-06-05
Help us improve!
How would you rate the Password Strength Checker?
Editorial Note
MyCalcBuddy Editorial Team
This page is maintained as an educational calculator reference.
Formula Source: Standard Mathematical References
by Various