Password Strength Calculator
Assess password strength online from length, character mix, warnings, and crack-time estimates so you can catch risky patterns before choosing a login.Password Decision
| Metric | Value | Why it matters | Copy |
|---|---|---|---|
| {{ row.label }} | {{ row.value }} | {{ row.comment }} |
| Scenario | Rate | Estimated time | What it means | Copy |
|---|---|---|---|---|
|
{{ row.label }}
Selected lens
|
{{ row.rateDisplay }} | {{ row.time }} | {{ row.comment }} |
| Signal | Severity | Evidence | Why it matters | Copy |
|---|---|---|---|---|
| {{ row.signal }} | {{ row.severity }} | {{ row.evidence }} | {{ row.reason }} |
| Priority | Recommendation | Why | Target | Copy |
|---|---|---|---|---|
| {{ row.priority }} | {{ row.recommendation }} | {{ row.why }} | {{ row.target }} |
1. The web tool provided is for general informational purposes only and should not be considered as professional advice.
2. We do not guarantee the accuracy, completeness, or reliability of the tool.
3. The use of this tool is at your own risk, and we are not liable for any damages or losses resulting from its use.
4. We reserve the right to modify or discontinue the tool without prior notice.
5. By embedding the tool, you agree to indemnify us from any claims arising from its use.
6. We may use Google Analytics or similar tools for data collection and analysis.
7. Please review this disclaimer periodically, as we may update it without notice.
If you do not agree with any part of this disclaimer, please refrain from embedding the tool on your website.
Introduction:
Password strength is an estimate of how hard a secret is to guess. That matters because short or predictable choices often fail long before they look obviously weak to a human. This calculator reads one password line at a time and turns its length, character mix, and pattern checks into a summary label, entropy estimate, warnings, and crack-time scenarios.
It is most useful when you are comparing candidate passphrases, explaining to a team why length matters more than decorative substitutions, or checking whether a reset choice is genuinely better than the last pattern. The page separates quick heuristics from the underlying search-space math, so you can see both a plain-language verdict and the reasons behind it.
A high label here does not certify a password as safe in every environment. The math assumes random character choice within the detected character set, while the warning system catches only a limited set of human habits such as repeated characters, straight sequences, common-password matches, and date-like patterns.
Treat the result as a security estimate, not as a guarantee. Avoid pasting live production secrets into any browser tool when an invented example would answer the same question.
Everyday Use & Decision Guide:
The page evaluates the first line only. If you paste multiple lines, it warns that single-password mode is looking only at line one, which helps prevent accidental comparison of several values at once.
The summary badge is the quickest read, but it is intentionally not the only read. A short password can collect digits and symbols and still stay weak because length is too low, while a longer passphrase can earn a high heuristic score even when its entropy band is less impressive than you expected. The supporting tabs exist to make that tension visible.
The Properties tab is a composition checklist. It shows length, counts for digits and letters, uppercase and lowercase presence, symbols, and the derived character-set size. That view is useful when you want to answer a narrow question such as whether you actually increased variety or merely swapped one predictable pattern for another.
- If a password is shorter than 12 characters, length is usually the first problem to fix.
- If the Dictionary tab reports a hit, treat that as a bigger warning than a respectable-looking score badge.
- If you are comparing two candidates, prefer the one with fewer pattern warnings even when both look similar at a glance.
The Crack-time tab uses fixed machine-rate scenarios ranging from a standard desktop to a medium-size botnet. The hash slowdown factor divides those rates to simulate slower password verification, such as what you would expect from PBKDF2, bcrypt, or Argon2 style storage. It does not change entropy or the composition checks; it changes only the time estimates.
The export buttons matter when you need to document a decision, not just eyeball it. CSV and DOCX outputs preserve the tabular views, while JSON packages the measured inputs, derived metrics, warnings, crack-time rows, and properties in a format that is easier to compare programmatically.
Technical Details:
The tool combines three different kinds of logic. First, it assigns a 0 to 4 heuristic score from easily observed traits such as length, mixed case, digits, symbols, and an extra bonus for length 14 or more when the password already has several character classes. Second, it estimates entropy from password length and the effective character set implied by the classes actually used. Third, it runs warning checks for predictable patterns and a dictionary comparison against a downloaded common-password list.
The heuristic score is fast and intentionally simple. It answers whether the password clears a few common composition hurdles. Entropy answers a different question: how large would the search space be if each position were an independent random draw from the detected set. That is why the strength label and entropy band can move in different ways.
Crack-time estimates are built from the same search-space assumption. The page computes the number of combinations, divides by a machine guess rate, and then applies the optional slowdown factor by reducing the rate. These scenario tables are illustrative package behavior, not compliance benchmarks or attacker forecasts.
The equations below show the model the page applies once the character classes are known.
In the package, S is the effective character-set size, n is password length, H is entropy in bits, R is the scenario guess rate, and k is the slowdown factor.
| Rule | Points | Condition |
|---|---|---|
| Base length rule | +1 | Password length is at least 8 characters |
| Mixed case rule | +1 | At least one uppercase and one lowercase letter are present |
| Digit rule | +1 | At least one digit is present |
| Symbol rule | +1 | At least one non-alphanumeric symbol is present |
| Extended-length bonus | +1 | Length is at least 14 and the running score is already 3 or more |
| Cap | 4 max | Final score is limited to 4 before the label is assigned |
| Entropy band | Boundary | Interpretation label |
|---|---|---|
| Band 1 | < 40 bits | Very weak |
| Band 2 | >= 40 and < 60 bits | Weak |
| Band 3 | >= 60 and < 80 bits | Reasonable |
| Band 4 | >= 80 and < 100 bits | Strong |
| Band 5 | >= 100 bits | Very strong |
| Check | Package rule | What it flags |
|---|---|---|
| Short length | Length is less than 12 | Short (<12) |
| Missing character classes | Any of uppercase, lowercase, digits, or symbols is absent | Class-specific warnings such as No uppercase or No symbols |
| Repeated run | Three or more identical characters in a row | Repeated characters |
| Sequential pattern | Alphabetic, keyboard-row, or numeric runs of length 3 or more in either direction | Sequential pattern |
| Email-like form | String matches a basic email pattern | Looks like an email |
| Date-like form | Contains a four-digit year or a short date pattern | Looks like a date/year |
| Dictionary hit | Exact lowercase match against the loaded 10k common-password list | Dictionary hit badge and danger state |
Privacy behavior is narrower than it first looks. The typed password is evaluated in the browser and is not written into the query string because the synced params exclude it. However, the page does fetch the common-password list from the SecLists project so the dictionary comparison can run locally after that list loads.
Step-by-Step Guide:
- Type a candidate password into the main field. If you paste several lines, keep in mind that the first line is the only one evaluated.
- Read the summary badge first for the strength label, percent, entropy bits, length, and warning chips.
- Open the Properties tab to confirm the raw composition counts and the derived character-set size.
- Open Crack-time and, if needed, raise the slowdown factor to model slower verification. This changes the time table only.
- Check the Dictionary tab for a common-password match and the Entropy tab for the exact band interpretation.
- Use JSON, CSV, or DOCX export when you need an audit trail or a side-by-side comparison between candidate passwords.
- If the result looks better than expected, verify that the password is unique and not built from a familiar date, name, or keyboard run that the tool could only partly detect.
Interpreting Results:
The main badge and the entropy band answer related but different questions. The badge is a heuristic composition score mapped to labels from Very Weak to Strong. Entropy is a search-space estimate measured in bits. A password can therefore score as Strong while still sitting below the page's strongest entropy bands.
The warning list should override complacency. A dictionary hit, a date-like pattern, a sequential run, or a very short length tells you that the password is more guessable than its mixed characters alone might suggest. In practical use, fewer warnings usually matters more than squeezing in one extra symbol.
| Output field | Boundary or state | Interpretation cue |
|---|---|---|
| Entropy bits | < 40 | Treat the password as easily guessable. |
| Entropy bits | >= 80 | The search-space estimate becomes much stronger, but uniqueness still matters. |
| Dictionary | Hit | Assume the password needs replacement, even if the badge looks respectable. |
| Warnings | Short (<12) | Length should be your next fix before decorative tweaks. |
| Crack-time | Large shift after slowdown | The stored-hash scenario may matter more than the raw password composition alone. |
The false-confidence trap is assuming that a tidy-looking summary means the password is safe everywhere. If the badge, entropy band, and warnings disagree, trust the harsher signal and test a longer, more unique passphrase. The clean verification step is to compare the candidate against a password manager generated option and see whether your custom choice still holds up.
Worked Examples:
Very short and predictable
abc123 scores Weak, carries about 31.0 bits of entropy, and immediately triggers Short (<12), No uppercase, No symbols, and Sequential pattern. Its crack-time rows stay below one minute even in the slower machine scenarios, which is exactly the kind of password the tool is meant to reject quickly.
Looks polished but still middle-band entropy
Tr33s&Rain!7 reaches the top heuristic label because it is at least 8 characters long and includes upper and lower case, digits, and symbols. Even so, its entropy lands at about 78.8 bits, which the page still classifies as Reasonable rather than Strong. That is a useful reminder that the badge and the entropy scale are separate outputs.
For this example, the standard desktop scenario stretches to about 10^8 years, the GPU row to about 10^6 years, and the parallel-GPU row to about 17,123 years. Those large values come from the random-search assumption, not from any knowledge of whether the password is reused elsewhere.
Troubleshooting a pattern-heavy candidate
hello@2024 earns a Fair label and about 61.1 bits of entropy, but it still raises Short (<12), No uppercase, and Looks like a date/year. The corrective path is not to append one more symbol to the end. A stronger fix is to replace the predictable year-based structure with a longer passphrase that is unique to the account.
FAQ:
Does my password leave the page?
The typed password is evaluated in the browser and is not copied into the page URL. The page does make one separate network request to load the common-password dictionary from SecLists so the dictionary comparison can run locally after that file arrives.
Why does only the first line count?
This tool is built for single-password evaluation. If extra lines are present, it shows a warning and ignores the later lines so the metrics, warnings, and exports stay tied to one candidate string.
Why can a password be Strong and still only Reasonable in entropy?
The Strong label comes from the heuristic score, which rewards composition rules. The Reasonable band comes from the entropy calculation, which looks at search-space size. A password can satisfy the first model without reaching the upper bands of the second.
What does the slowdown factor really change?
Only the crack-time table. It divides the scenario guess rates to mimic slower verification. It does not change length, character counts, entropy, warnings, or the heuristic strength score.
Is a long passphrase always enough?
Length helps a great deal, but reuse and predictability still matter. A long phrase built from personal facts, a site name, or a common quote can be weaker in practice than its raw search-space estimate suggests.
Glossary:
- Entropy
- The search-space estimate in bits, calculated from password length and the effective character-set size.
- Character-set size
- The total number of possible symbols implied by the classes the password actually uses: digits, uppercase, lowercase, and symbols.
- Dictionary hit
- An exact lowercase match against the loaded 10,000-entry common-password list.
- Guess rate
- The guesses-per-second scenario used in the crack-time table before slowdown is applied.
- Hash slowdown factor
- The multiplier that reduces the scenario guess rate to mimic slower password verification.