Analyse any password for strength, entropy, and vulnerability patterns. Checks length, character diversity, common passwords, dictionary words, keyboard walks, and repeated patterns. 100% browser-based — your password is never transmitted.
Enter any password into the input field. Your password is analysed entirely in your browser using JavaScript — it is never sent to any server, logged, or stored. Toggle the eye icon to show or hide characters as you type.
The tool instantly calculates entropy (bits), estimates crack time at different attack speeds (online, offline, GPU), and checks for common patterns: dictionary words, keyboard sequences (qwerty, 12345), repeated characters, dates, names, and common password structures.
Red and amber warnings list specific weaknesses found in your password. Green checks show what you've done right. Follow the suggestions to build a password that meets NIST guidelines and resists modern attack techniques.
Password entropy is measured in bits and represents how unpredictable a password is. It is calculated as: entropy = log₂(pool size) × length, where pool size is the number of possible characters (26 for lowercase only, 52 for mixed case, 95 for all printable ASCII). A password with 60+ bits of entropy is considered strong. 80+ bits is very strong. NIST recommends at least 64 bits for general use. Long, random passphrases often achieve higher entropy than complex short passwords.
No. This tool performs all analysis in your browser using JavaScript. Your password never leaves your device — it is not transmitted over the network, not logged to any server, and not stored anywhere. You can verify this by disconnecting from the internet and observing that the tool still works fully. This is one of the key benefits of browser-based tools for sensitive inputs like passwords.
According to current NIST guidelines (SP 800-63B): length is the most important factor (longer is better, 15+ characters recommended), avoid common passwords and dictionary words (the most common attack), avoid personal information (name, birthday, pet name), use a mix of character types only if it genuinely increases unpredictability (not if it produces predictable patterns like P@ssw0rd), and use a unique password for every account. Passphrases (4–5 random unrelated words) are both strong and memorable.
A keyboard walk is a password constructed by moving along adjacent keys on a keyboard in a predictable pattern: qwerty, asdf, zxcv, 1234, qazwsx. These patterns are easy to type but are included in every password cracking dictionary and are among the first patterns attackers try. Despite appearing complex visually, they have very low effective entropy because they follow predictable physical keyboard layouts.
An online attack is constrained by the target server's rate limiting and network latency — typically 1–100 guesses per second before accounts are locked. An offline attack occurs when an attacker has obtained a copy of a password hash database and can test passwords locally using a GPU at billions or trillions of guesses per second. Password strength must withstand offline attacks since you cannot control how a breached system was secured.
Yes — strongly recommended. Password managers generate and store long, random, unique passwords for every site, solving the reuse problem (the most dangerous password vulnerability). They also protect against phishing by auto-filling only on the correct domain. Strong master passwords for your password manager should be a long passphrase (6+ random words) memorised and never used anywhere else. Popular options include Bitwarden (open source), 1Password, and Dashlane.
