liminfo

Password Strength Checker

Free web tool: Password Strength Checker

About Password Strength Checker

The Password Strength Checker analyzes any password and reports four key metrics: length, Shannon entropy in bits, estimated time to crack under a brute-force attack of 10 billion guesses per second, and a 5-level strength rating (Very Weak / Weak / Moderate / Strong / Very Strong). The entropy calculation is based on the character pool size — lowercase adds 26, uppercase adds 26, digits add 10, and special characters add 33 — giving a realistic measure of password complexity.

Security trainers, system administrators, and developers building registration forms use this tool to evaluate passwords against modern attack assumptions. The crack-time estimate assumes 10 billion guesses per second, which reflects the throughput of a modern GPU cluster attacking offline MD5 hashes. For bcrypt or Argon2 protected passwords, real-world crack times would be many orders of magnitude longer — this tool gives a conservative worst-case estimate.

Beyond entropy and crack time, the tool detects six common weakness patterns: repeated single character (e.g., "aaaaaa"), sequential characters or numbers (e.g., "abc123"), well-known common passwords (password, qwerty, admin, letmein, etc.), numeric-only passwords, letter-only passwords, and any character repeated 3 or more times consecutively. Detected patterns are listed as explicit warnings, giving actionable feedback on exactly how to improve the password.

Key Features

  • Shannon entropy calculation based on actual character pool size (lowercase, uppercase, digits, special chars)
  • Estimated crack time displayed in human-readable units from "Instant" to "Billions of years+" at 10B guesses/sec
  • 5-level strength rating: Very Weak (<28 bits), Weak (<36), Moderate (<60), Strong (<80), Very Strong (80+ bits)
  • Character composition breakdown — shows which of the 4 character types (lower/upper/digit/symbol) are present
  • Weak pattern detection: repeated characters, sequential strings, common passwords, numbers-only, letters-only
  • Real-time analysis — updates instantly with every keystroke, no submit button required
  • Password typed in plaintext for full visibility while analyzing — no data sent to any server
  • Dark mode support and responsive grid layout displaying all 4 metrics simultaneously

Frequently Asked Questions

How is password entropy calculated?

Entropy is calculated as: length × log₂(pool size), where pool size is the number of distinct character types used. Lowercase letters add 26 to the pool, uppercase 26, digits 10, and special characters 33. A 12-character password using all 4 types has a pool of 95, giving entropy of 12 × log₂(95) ≈ 78.8 bits.

What does the crack time estimate mean?

The estimate assumes an attacker attempts 10 billion (10¹⁰) guesses per second — typical for a GPU cluster attacking an offline MD5 hash dump. The time shown represents the expected time to crack the password on average (total guesses needed / 2). For online attacks with rate limiting, real crack times are vastly longer. For bcrypt/Argon2 hashes, they are also much longer due to algorithmic cost.

Why is "password123" rated weak despite having letters and numbers?

The entropy formula rewards unpredictability. "password123" contains a very common dictionary word followed by a predictable number sequence, which are both detected as weak patterns. In practice, an attacker using a dictionary + rules attack would crack it almost instantly regardless of its 11-character length and mixed composition.

What entropy level is considered secure?

For most purposes, 60+ bits of entropy is considered reasonably strong against offline attacks. 80+ bits (rated "Very Strong") is considered highly resistant. However, entropy alone is not sufficient — a password with high entropy that follows a known pattern (e.g., a word from a 2-million-word list with a number appended) has far less practical strength than its calculated entropy suggests.

Why does the tool show the password in plaintext?

Analysis requires seeing the actual characters to compute entropy and detect patterns. Since all processing is done locally in your browser and nothing is transmitted to any server, displaying the password in plaintext is safe in this context. You can paste a candidate password to evaluate, not necessarily your actual account password.

How many special characters are counted in the pool?

The tool counts 33 special characters — the printable ASCII symbols that are not letters or digits: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~. If your password contains any of these, 33 is added to the pool size regardless of how many different special characters you used.

What common passwords does the tool detect?

The tool detects passwords that start with any of these known common passwords: password, qwerty, letmein, admin, welcome, monkey, dragon, master, login. These are among the most frequently used passwords in breach databases and would be tried first by any attacker using a dictionary attack.

Does a longer password always mean a stronger password?

Generally yes, but with caveats. Length directly multiplies entropy, so a longer password from the same character pool is always stronger by the numbers. However, a very long password composed of only one repeated character (e.g., "aaaaaaaaaaaaaaa") has zero effective entropy and would be cracked instantly. The tool detects this pattern and warns you.