Password Strength Checker Calculator

Test passwords against modern rules and attacker models. Get entropy, score, and safer alternatives instantly. Export results, spot patterns, and strengthen logins today securely.

Checker

Tune policies, pick an attacker model, then submit.

Avoid real credentials on shared machines.
Live preview meter (client-side)
Start typing to see hints.
Offline models assume stolen hashes.
Types include letters, digits, symbols, spaces.
Used to detect personal fragments.
Off by default. Exports can leak secrets.

Example data table

These are masked examples. Do not reuse them.

Example password (masked) Score Strength Entropy (bits)
p•••••••••3 8 Very Weak 56.9
W•••••••••! 79 Strong 72.3
B•••••••••••••2 100 Very Strong 98.5
C•••••••••••••••••••••6 100 Very Strong 151.1
C•••••••••••••••••••••••••! 100 Very Strong 177.8
Your score changes with selected policy options.

Formula used

  • Character pool estimate: sum of used sets (lowercase 26, uppercase 26, digits 10, symbols 33, spaces 1).
  • Entropy (bits): H = L × log2(pool), where L is password length.
  • Guess space: G ≈ pool^L. Expected guesses ≈ G / 2.
  • Crack time: T ≈ (G / 2) / rate, where rate depends on attacker model.
  • Score: normalized from entropy, then adjusted with bonuses and penalties for policy compliance and patterns.

These formulas estimate random guessing. Real attackers prioritize predictable choices first.

How to use this calculator

  1. Enter a password in the input box (or a test string).
  2. Pick an attacker model matching your risk scenario.
  3. Set minimum length and character-type requirements.
  4. Enable pattern blocking for stronger enforcement.
  5. Click Check Strength to see results above.
  6. Download CSV or PDF reports if needed.

Entropy-based scoring for real-world passwords

Strength is not “complexity”; it is guess resistance. This checker estimates strength from entropy, then adjusts it using policy compliance and pattern penalties. Scores are normalized so that about 80 bits maps to the top range, while values near 40 bits are treated as moderate for many consumer accounts. Results are shown immediately above the form to support quick iteration.

Character pool estimation and why it matters

Entropy depends on how many symbols an attacker must consider at each position. The calculator infers a character pool from what you actually used: lowercase (26), uppercase (26), digits (10), symbols (about 33), and optional spaces. Pool is not assumed; it is observed. If you only use letters, the pool stays small, and longer length becomes the primary driver of strength.

Pattern penalties that defeat entropy

Attackers rarely guess uniformly at random. They prioritize common passwords, keyboard walks, and repeated characters, which makes many “high-entropy” looking strings weak in practice. The checker can block a built‑in common list, flag sequences such as 1234 or abcd, and detect triple repeats like “aaa”. It also checks for personal fragments from usernames or email locals, because these reduce the search space dramatically.

Crack-time modeling for online and offline threats

Time-to-crack varies more by attack channel than by the score label alone. Online guessing is constrained by throttling, lockouts, and monitoring, while offline attacks can scale to 10^10 guesses per second against weak hashing choices. The calculator estimates search space as pool^L and uses expected guesses of half that space. It then reports times for multiple attacker models so teams can compare scenarios.

Policy tuning and operational use

Use options to match your environment: raise minimum length for privileged accounts, require more character types for shared credentials, and keep common and sequence blocking enabled for portals. Export CSV or PDF reports for audit trails, but avoid exporting raw passwords unless you explicitly opt in. For training, test sample phrases and review the issues list; it explains which rule failed and how to remediate quickly during security reviews internal. Pair strong passwords with multi‑factor authentication and unique storage practices.

FAQs

What does entropy mean in this checker?

Entropy estimates uncertainty in bits from length and the inferred character pool. More bits usually means more guesses are needed, but human patterns and common choices can still make a password easier to crack.

Why does the score drop for sequences or repeats?

Attackers try ordered runs and repeated characters early because they are common. The checker applies penalties for patterns like 1234, abcd, qwerty, or triple repeats to reflect that reduced real-world resistance.

Which attacker model should I select?

Use an online model for login forms with rate limits and monitoring. Use an offline model when stolen hashes are possible, because guessing speeds can be extremely high, especially with weak hashing settings.

Can I include the password in CSV or PDF exports?

Yes, but only if you enable the opt-in setting. Leaving it off reduces accidental exposure in downloads, logs, screenshots, tickets, and shared audit folders.

Does the calculator store my password permanently?

No. It evaluates input for the current session and keeps the last export data temporarily so downloads work. Avoid testing real passwords on shared or untrusted devices.

What is a practical target score?

Aim for Strong or Very Strong, typically achieved with 12–16+ characters and good variety. For privileged accounts or high-risk systems, prioritize length and uniqueness over memorized complexity.

Related Calculators

Password Entropy CalculatorPassword Crack TimeBrute Force TimePassphrase Strength TestPassword Guessability ScoreRainbow Table RiskLeaked Password CheckHash Strength EstimatorHash Cracking TimeTwo Factor Strength

Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.