Security Tools

Password Strength Checker

Analyze your password's entropy, estimated crack time, and get specific improvement suggestions. All checks run in your browser — your password is never sent anywhere.

By ToolHub Pro, Editorial Team·Updated 2026-01-15

Password to Check

Never sent to any server — evaluated entirely in your browser.

Entropy: The Real Measure of Password Strength

Password strength is measured in bits of entropy — the number of guesses an attacker would need to try on average. Each bit of entropy doubles the search space. A 40-bit password requires about 1 trillion guesses; a 60-bit password requires 1 quadrillion. Entropy comes from two sources: the size of the character set you draw from, and the length of the password. A truly random 12-character password using lowercase only (26 characters) has about 56 bits of entropy. Adding uppercase, digits, and symbols increases the character set to ~94, pushing the same length to ~79 bits — a meaningful improvement, but length gains are even more powerful because they compound.

Why Complexity Rules Fail

Password complexity requirements ("must include uppercase, number, and symbol") produce predictable patterns: Password1!, Welcome123$, Summer2024!. Attackers model these rules into their cracking algorithms. A password that technically satisfies complexity requirements but follows a predictable pattern can be cracked faster than a longer, purely lowercase random string. NIST's current guidance (SP 800-63B, updated 2024) explicitly recommends against mandatory complexity rules and periodic password rotation — both are counterproductive. Length minimums (12+ characters) and checking against known-breached password lists are the recommendations that actually improve security.

How Modern Password Crackers Work

Modern cracking uses GPU acceleration to test billions of guesses per second against stolen password hashes. Attacks layer multiple strategies: dictionary words first, then common substitutions (a→@, e→3), then rule-based mangling of dictionary words, then Markov-chain generation of plausible patterns. A 8-character password — even with mixed case and symbols — falls within minutes on modern hardware if it follows any predictable pattern. Truly random passwords of 12+ characters from a large character set remain computationally infeasible to crack regardless of hardware advances, which is why randomness matters as much as length.

Passphrases vs Random Passwords

A passphrase — four or more random dictionary words (e.g. "correct horse battery staple", from Diceware) — is both memorable and strong. Four random common words from a 7,776-word list (Diceware standard) provide 51 bits of entropy; five words give 64 bits, comparable to a random 12-character mixed-case password. Passphrases are easier to type and remember while meeting high entropy thresholds. They work best for master passwords that must be memorised — a password manager itself, a device login, or a disk encryption key. For everything else, a password manager generating random 20+ character passwords is more secure and requires no memorisation.

Frequently Asked Questions

What makes a password strong?

Length is most important — each character exponentially multiplies combinations. A 16-character password with mixed character types has trillions more combinations than an 8-character password. Aim for 12+ characters with uppercase, lowercase, numbers, and symbols.

What is password entropy?

Entropy measures unpredictability in bits. Higher entropy = harder to crack. 50+ bits is fair, 70+ is strong, 100+ is very strong against offline attacks. This tool calculates entropy based on character set size and password length.

How long does it take to crack a password?

Crack time depends on attacker hardware and the hash algorithm protecting the password. This tool uses a conservative 10 billion guesses/second estimate for offline attacks. Online attacks are much slower due to rate limiting.