How is password strength measured?
Password strength is about unpredictability, not just length or the presence of a special character. This checker estimates entropy — a measure in bits of how many guesses an attacker would need — based on the character variety and length of your password, then translates that into an approximate offline crack time.
Crucially, the entire calculation happens locally in your browser. Your password is never sent to any server, logged or stored. You can verify this in your browser's network tools: typing here makes no network requests.
What makes a password strong
- —Length first — every extra character multiplies the guesses required far more than adding symbols does.
- —Unpredictability — avoid dictionary words, names, dates and keyboard patterns like qwerty or 123456.
- —A passphrase of four or more random, unrelated words is both strong and memorable.
- —Uniqueness — never reuse a password across sites; a breach of one then compromises them all.
Better than memorising: a password manager
The strongest approach is to let a password manager generate and store long, random, unique passwords for every account, so you only need to remember one strong master password. Combine that with two-factor authentication wherever it is offered.
Use this tool to build intuition for what strong looks like, but treat the crack-time estimate as a guide, not a guarantee — real-world attacks also exploit reuse and breaches, which raw entropy doesn't capture.