Password Strength Checker

We calculate Shannon entropy based on your password's length and the variety of character types used (uppercase, lowercase, numbers, and symbols). The larger and more varied your character set, the exponentially harder it is to brute-force. We also detect common passwords and predictable patterns (like "qwerty" or repeated characters) and mark them as weak regardless of length.

No. All analysis runs entirely in your browser using JavaScript. Your password never leaves your device — it is never transmitted, stored in a database, or logged anywhere. You can verify this by opening DevTools → Network and confirming there are no requests made while typing.

A strong password is at least 12–16 characters long and uses a mix of uppercase letters (A–Z), lowercase letters (a–z), numbers (0–9), and special characters (!@#$%^&*). Avoid dictionary words, names, keyboard patterns (like "123456" or "qwerty"), and any password you have used before on another site.

We assume a worst-case offline brute-force attack running at 1 trillion guesses per second — a realistic figure for a well-resourced attacker with a leaked password hash. We compute the total possible combinations for your password's character pool and length, divide by two (average case), and divide by the attack rate to get seconds.

Generated passwords use the browser's built-in crypto.getRandomValues() API — a cryptographically secure random number generator. We guarantee at least one uppercase letter, one lowercase letter, one number, and one special character, then randomly fill the remaining characters. The result is shuffled using a Fisher-Yates algorithm.

Security experts recommend at least 12 characters for general accounts and 16+ characters for high-value accounts (email, banking, cloud storage). Length is the single most powerful factor in password strength — each additional character multiplies the number of possible combinations by the size of the character set.