Password Strength Calculator

Password Decision

{{ analysis.label }} / {{ strengthScore }}/4

{{ analysis.guessesBadge }} guesses Entropy {{ analysis.entropyBits.toFixed(1) }} bits {{ analysis.metrics.length }} chars {{ riskLensLabel }} {{ signal.text }}

Password:

Paste one candidate password; extra lines are ignored after a warning.

Extra lines were detected. This tool evaluates only the first line in single-password mode.

Risk lens:

Use login lenses for live guessing, breach lenses for stolen hash cracking.

Offline slowdown factor:

Enter a whole number 1 or higher; 10 divides offline cracking rates by 10.

x slower

Known words to avoid:

Separate names, handles, brands, domains, or project words with commas or new lines.

Metric	Value	Why it matters	Copy
{{ row.label }}	{{ row.value }}	{{ row.comment }}

Scenario	Rate	Estimated time	What it means	Copy
{{ row.label }} Selected lens	{{ row.rateDisplay }}	{{ row.time }}	{{ row.comment }}

Signal	Severity	Evidence	Why it matters	Copy
{{ row.signal }}	{{ row.severity }}	{{ row.evidence }}	{{ row.reason }}

Priority	Recommendation	Why	Target	Copy
{{ row.priority }}	{{ row.recommendation }}	{{ row.why }}	{{ row.target }}

No password analyzed yet. Enter one candidate above to see the verdict, attack outlook, and upgrade plan.

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

A password does not become strong just because it contains a capital letter, a digit, and a symbol. Guessing resistance comes from how many realistic guesses an attacker must try before reaching the secret. Human-made passwords often shrink that search because they reuse words, years, keyboard shapes, names, sports teams, product terms, or the service name itself.

The same password can face very different threats. A public login form may limit guesses, lock accounts, or require multifactor authentication. A stolen password hash can be tested away from the login page at far higher rates, especially if the stored hash is fast or badly protected. Password reuse creates a third problem: a secret that is hard to guess can still fail if it was already exposed somewhere else.

Password strength concepts
Concept	Plain meaning	Common mistake
Guess count	How many tries are expected before the password is found.	Treating every string of the same length as equally likely.
Entropy	A mathematical way to describe the size of a search space.	Reading an optimistic character-count estimate as a promise of safety.
Attack rate	How many guesses can be tested per second or per hour.	Using login-rate thinking for a stolen-hash breach.
Uniqueness	Whether the password is used for one account only.	Keeping a reused password because it looks complex.

Modern password guidance has moved away from ceremonial composition rules because those rules push people toward predictable mutations such as Password2026!. Length, blocklists for common or compromised values, rate limits, slow password hashing, password managers, and multifactor authentication do more useful work than requiring one character from each category.

A strength estimate is still a planning aid, not a certificate. It cannot prove that a password has never been reused, cannot see whether a service stores passwords well, and cannot know what an attacker already knows about the account holder. The practical goal is to reject weak ideas early, prefer unique generated secrets for important accounts, and treat any exposed or reused password as replaceable even when it appears long or complex.

How to Use This Tool:

Enter one candidate password and read the decision together with the pattern findings and crack-time estimates. The calculator evaluates the first line only, so check pasted lists one password at a time.

Type or paste the candidate password. Use the show/hide button only when you are comfortable revealing it on your screen.
Choose the Risk lens that matches your concern. Use a login lens for account-entry guessing, and a stolen-hash lens when breach resistance matters.
Set Offline slowdown factor only when you want breach rows to model slower password hashing. It does not change the live-login rows.
Add names, handles, domains, company words, or product words to Known words to avoid when targeted guessing is realistic.
Review Strength Assessment, Pattern Flags, Attack Outlook, and Upgrade Plan before deciding whether the candidate is worth keeping.

If an extra-lines warning appears, the later lines were ignored. Split the list and recheck each candidate separately so the score, flags, and estimated times refer to the password you actually plan to use.

Interpreting Results:

Decision is the fastest read, but it should not be the only read. Replace now means the selected scenario, score, or a high-severity pattern makes the candidate unsuitable. Upgrade before use means the password may not be an immediate failure, but it has a meaningful weakness. Solid if unique and Strong if unique still depend on the password being new for this account.

Pattern-aware score runs from 0 to 4 and reflects dictionary-style guesses and common structures, not just the number of character categories. Composition upper bound shows the optimistic bit estimate from length and detected character space. When those two disagree, trust the pattern-aware result and the pattern flags more than the upper-bound bit count.

Attack Outlook turns the guess estimate into time under several rates. The selected risk lens is highlighted, while the other rows show how much the answer changes between a controlled login and a breach-style attack. The Crack Time Ladder chart uses the same estimates to make those differences easier to compare.

Treat No obvious pattern flag as a narrow finding. It means the current checks did not find a common-word, date, keyboard, sequence, repeat, or context-word issue. It does not check whether the exact password has appeared in a breach, whether another site already uses it, or whether the account is protected by rate limits and multifactor authentication.

Technical Details:

Password strength estimation combines a search-size estimate with a guess-order estimate. Search size asks how many possibilities exist if each character were chosen independently. Guess order asks how soon real cracking methods would try the visible pattern. A human-looking string can have a large character space and still land early because it contains a word, year, repeated segment, or keyboard walk.

The composition estimate is intentionally an upper bound. It counts only character categories that appear in the candidate, then multiplies the resulting character space by length in log base 2. The pattern-aware estimate is used for practical guessing because it can reduce confidence when a visible structure is cheaper to guess than random brute force.

Formula Core:

\begin{array}{lll} S & = & 10 I_{digit} + 26 I_{upper} + 26 I_{lower} + 33 I_{symbol} + 1 I_{space} \\ H & = & n \times \log_{2} (S) \\ G & = & 10^{g} \\ T & = & G / R_{effective} \\ R_{effective} & = & R / k for breach rows, otherwise R \end{array}

Password formula variables
Symbol	Meaning	How to read it
`S`	Detected character space	Digits add 10, uppercase letters add 26, lowercase letters add 26, symbols add 33, and spaces add 1 when present.
`H`	Composition upper bound in bits	Useful for comparing edits, but optimistic for human-made strings.
`g`	Pattern-aware log10 guess estimate	Lowered when the candidate matches common words, dates, repeats, keyboard paths, sequences, or supplied context words.
`R`	Scenario guess rate	Ranges from controlled login attempts to fast breach cracking.
`k`	Offline slowdown factor	Divides only breach-style rates to model slower password hashing.

Rule Core:

Password strength decision rules
Output	Boundary or rule	Practical meaning
`Composition upper bound`	<40 very weak, <60 weak, <80 reasonable, <100 strong, otherwise very strong	Shows the length-and-character-space ceiling before pattern penalties.
`Pattern-aware score`	0 very weak, 1 weak, 2 fair, 3 good, 4 strong	Summarizes the practical estimator result when available, with a local fallback if needed.
`Replace now`	High-severity pattern, score <=1, or selected crack time <1 day	The candidate should not be used as-is.
`Upgrade before use`	Score <=2, medium-severity pattern, or selected crack time <1 year	The candidate needs a meaningful change before it is trusted.
`Solid if unique`	Score = 3 without stronger replacement triggers	The password may be acceptable when it is not reused and no important context word is present.
`Strong if unique`	No stronger replacement or upgrade trigger applies	The result is favorable, but uniqueness and account controls still matter.

Password attack scenario rates
Scenario	Modeled rate	Interpretation note
Locked-down login	100 guesses per hour	Represents strict throttling or lockouts.
Weakly rate-limited login	10 guesses per second	Represents repeated guesses through a login form with weak controls.
Stolen slow hash	10,000 guesses per second, divided by slowdown	Represents breach cracking against slower password hashing.
Stolen fast hash	10 billion guesses per second, divided by slowdown	Represents weak or cheaply parallelized hash verification after a breach.
GPU cluster breach	1 trillion guesses per second, divided by slowdown	Represents a pessimistic distributed cracking comparison.

As a substitution example, a 12-character password using detected lowercase letters and digits has S = 36, so the composition upper bound is 12 × log2(36), about 62 bits. If the visible text includes a dictionary word plus a year, the practical guess estimate can be far lower than that bit count, and the breach rows may still point to replacement.

Limitations and Privacy Notes:

No strength meter can confirm that a password is absent from every breach list, unused on every other site, or protected by a service with good storage and rate limiting. It also cannot know whether the account has multifactor authentication, whether the user has been phished, or whether an attacker already knows personal details that would make targeted guesses cheaper.

The password value is evaluated in the browser and is omitted from CSV, DOCX, JSON, and share-link data generated by the calculator. Normal page resources may still be requested by the browser, so avoid testing a high-value production secret unless your policy allows it. A safer habit is to test a structurally similar draft, then generate and store the real secret in an approved password manager.

Only the first line is analyzed. That protects against accidentally merging a pasted list into one result, but it also means later lines have not been checked.

Worked Examples:

Company2026! looks like it satisfies a classic complexity rule: uppercase, lowercase, digits, and a symbol are all present. The weakness is the structure. A company word and a recent year are likely to appear early in targeted guesses, and adding company to Known words to avoid should make that problem visible in the pattern findings.

A random-looking 11-character password can be a borderline case. It may avoid obvious dictionary and date flags, but the selected stolen-hash lens may still show an uncomfortable crack time. Adding several random characters usually helps more than swapping one letter for a symbol, because the search expands across every added position.

A long, unique password-manager secret or an unrelated generated passphrase is the healthier pattern. If it has no context words, no reuse, and a favorable selected crack-time row, the remaining work is operational: store it safely, use one secret per account, and replace it immediately if exposure is suspected.

FAQ:

Why can a password with symbols still score poorly?

Symbols help when they are part of an unpredictable string. A common word with a final exclamation point or a year is still close to patterns attackers try early.

Which risk lens should I choose?

Choose a login lens when you are thinking about someone guessing through the account sign-in form. Choose a stolen-hash lens when you want to know how the password might hold up after a password database leak.

Does a strong score mean I can reuse the password?

No. Reuse changes the risk because one compromised service can expose the same secret for other accounts. Keep one unique password per account.

Why should I add known words to avoid?

Targeted attackers often try names, handles, domains, project names, and company terms before broad guessing. Adding those words lets the calculator flag a password that is personally predictable.

What should I do if the extra-lines warning appears?

Only the first line was checked. Remove the extra lines or test each candidate separately so the decision and pattern flags match the password you are reviewing.

Glossary:

Attack rate: The number of password guesses a scenario can test in a given time.
Composition upper bound: An optimistic bit estimate based on password length and the detected character categories.
Context word: A user-supplied word that should be treated as predictable, such as a name, domain, brand, handle, or project term.
Crack time: The estimated time to try the expected number of guesses at a scenario's modeled rate.
Pattern-aware score: A 0 to 4 strength label that accounts for common password structures as well as length.