Security
Password Strength & Entropy Checker
Check entropy, estimate brute-force time, and verify strength without sending any data.
The Password Strength Checker estimates entropy based on length and character variety, then provides a brute-force time estimate at different guessing speeds. It gives a practical sense of how resilient a password is against common attack scenarios, all computed locally in your browser.
Results
Entropy score, strength rating, and brute-force estimate.
Entropy
-
Strength
-
Charset size
-
Bruteforce estimate
-
Length
-
Character types
-
What this tool does
The Password Strength Checker estimates entropy based on length and character variety, then provides a brute-force time estimate at different guessing speeds. It gives a practical sense of how resilient a password is against common attack scenarios, all computed locally in your browser.
When to use this tool
Use it when evaluating a new password, reviewing an existing credential, or validating a password policy for a team. If you need to create a stronger option, generate a new one in Password Generator and check the results here.
How it works
The tool estimates the size of the character set (lowercase, uppercase, numbers, symbols) and calculates entropy based on the password length. It then estimates the time to brute-force the password at the selected guessing rate. Results are shown as an easy-to-read strength rating and time estimate.
Example use case
You are setting a policy that requires strong passwords for admin accounts. Test a sample password in the checker, review the entropy and estimated crack time, and adjust the policy to require a longer length or additional character types. Share the guidance with your team before rollout.
Use cases
- Evaluate candidates for a new password policy.
- Check the quality of an existing credential.
- Compare passphrase options before rollout.
Notes & limitations
Entropy estimates assume truly random passwords, which is rarely the case for human-created phrases. Password managers and generated values are more consistent. The brute-force estimates are simplified and do not account for rate limits or online lockouts, so treat them as general guidance rather than exact predictions.
Online attacks are often limited by lockout policies, but offline attacks against leaked hashes can be much faster. Use this tool to compare relative strength, then align your password policy with the sensitivity of the system. Longer lengths usually provide more benefit than adding a single extra symbol.
If a password feels strong but scores poorly, increase length first before adding complexity rules.
