Is my password sent anywhere?

No. The strength analysis runs entirely in your browser using local JavaScript. Nothing is uploaded, stored, or logged. Open your browser's developer tools (Network tab) and type a password - you will see zero outgoing requests. We have no servers that receive passwords.

How is password strength calculated?

Strength is estimated using character pool size (which character classes appear) and length. These determine an entropy estimate in bits. Additional pattern checks - repeated characters, sequential runs, keyboard walks, and common passwords - can lower the score. The result is a score from 0 (Very Weak) to 4 (Very Strong).

Why does my long password score lower than expected?

Common keyboard patterns ("qwerty123"), sequential runs ("1234abcd"), or heavy repetition ("aaaabbbb") are penalized because attackers test these patterns first. Even a 12-character password built from "abc123..." is much weaker than 12 random characters. Add random symbols or words to push the score up.

What does "entropy" mean for a password?

Entropy measures unpredictability in bits. A password with N bits of entropy requires an attacker to try on average 2^(N-1) guesses to crack it. More bits = more guesses = safer password. Aim for at least 60 bits for everyday accounts and 80+ for anything critical.

Which attack speed should I care about?

For passwords sent to a web service, "online throttled" (100/s) is the realistic limit - servers rate-limit login attempts. If your password hash leaks in a data breach, the offline fast-hash scenario (10 billion/s with MD5) becomes relevant. The scariest scenario - offline fast hash - is why even "strong-looking" short passwords are risky when databases are stolen.

Password Strength Checker

How password strength is measured

This tool uses two complementary approaches. First, it estimates entropy: the number of bits of unpredictability based on the character classes present (lowercase, uppercase, digits, symbols) and the length of the password. A 16-character password drawn from all four classes (pool size 94) has roughly 105 bits of entropy, enough to resist any foreseeable brute-force attack.

Second, it checks for patterns that attackers test first: common passwords (like "password123"), repeated characters ("aaaa"), sequential runs ("1234", "abcde"), and keyboard walks ("qwerty"). A password that looks long but is built from one of these patterns is far weaker than the raw entropy estimate suggests, so the score is adjusted downward.

Understanding the crack time estimates

The four attack scenarios cover the realistic range of threats:

Online throttled (100/s): most web services limit login attempts to a few per second. An attacker guessing your password over the public internet faces this limit.
Online unthrottled (10,000/s): some services have looser rate limits, or the attacker can spread attempts across many IPs.
Offline slow hash (10M/s): if a database is stolen, attackers work locally. Bcrypt and Argon2 are slow by design; this scenario assumes that protection is in place.
Offline fast hash (10B/s): the worst case: the hash is MD5, SHA-1, or an unsalted SHA-256. Modern GPU rigs can try billions of passwords per second.

The estimates show average time (half the search space). Actual time could be half that if you're unlucky, or double if you're lucky.

Why patterns matter more than length

A 12-character password like "Qwerty123!!!" is technically in the "complex" category (upper, lower, digits, symbols), but it would be cracked almost immediately because it's a predictable keyboard pattern. Attackers maintain wordlists of millions of such patterns and test them before trying brute force. A random 8-character password from all four classes is often stronger in practice than a patterned 12-character one.

What to do if your password is weak

The suggestions panel gives specific, actionable advice. The most impactful changes are, in rough order: avoid common passwords, add length (each character multiplies the search space), mix in character classes not already present, and remove obvious patterns. Use the Password Generator if you want a cryptographically random replacement, or the Passphrase Generator if you need something memorable.

zxcvbn algorithm details

This tool uses the zxcvbn algorithm developed by Dropbox (open-sourced 2012). Rather than scoring passwords by character class alone, zxcvbn estimates entropy based on how attackers actually crack passwords. It detects:

Dictionary words (from English words, names, and common passwords).
Keyboard patterns - "qwerty", "asdf", "zxcvbn" itself, and their shifts and reversals.
L33t substitutions - replacing letters with look-alike numbers or symbols (p@ssw0rd), which attackers account for exhaustively.
Date patterns - birthdates, years, and common date formats.
Repeated characters and sequences - "aaa", "123", "abc".

The score (0–4) represents how long brute force would take, not just a raw entropy calculation.

Real-world breach data

Have I Been Pwned (HIBP) is a free service by security researcher Troy Hunt that indexes over 12 billion passwords from data breaches. You can check whether a specific password has appeared in a known breach.

The HIBP Pwned Passwords API uses a k-anonymity model for privacy: instead of sending the full password, your browser hashes it with SHA-1, sends only the first 5 characters of the hash, and the API returns all matching hashes. Your browser then checks locally whether your full hash is in the returned list. The server never sees your complete password or hash.

A password found in breach data should be considered compromised regardless of its complexity score - attackers check breach lists before attempting brute force.