Skip to content
UtilHQ

Password Strength Checker

Check any password against multiple security criteria with this free strength checker.

100% Free No Data Stored Instant

Your password is never transmitted or stored. All checks happen privately.

Type a password above to analyze its strength.
Ad Space
Ad Space

Share this tool

About This Tool

Check any password against multiple security criteria with this free strength checker. Enter a password to see an instant score from 0 to 100, a strength label from Very Weak to Very Strong, the estimated time it would take to crack using brute force, and the entropy in bits. The tool also checks against a database of commonly breached passwords and flags dictionary words that make passwords easier to guess. A visual checklist shows which security requirements your password meets and which it misses. Your password never leaves your device. Nothing is transmitted, stored, or logged anywhere. Use this tool before creating accounts, auditing existing passwords, or teaching others about password security fundamentals.

How the Strength Score Is Calculated

The strength score combines four factors: length, character variety, entropy, and known weakness detection. Longer passwords earn more points up to a cap of 30. Using a mix of uppercase, lowercase, numbers, and symbols adds up to 40 more points. High-entropy passwords receive a bonus of up to 20 points. Penalties are applied for common passwords, dictionary words, repeated characters, and sequential patterns like "123" or "abc." The final score maps to five strength labels.

  • 0-20: Very Weak - easily cracked in seconds
  • 21-40: Weak - vulnerable to basic attacks
  • 41-60: Fair - resists simple attacks but has room for improvement
  • 61-80: Strong - good for most accounts
  • 81-100: Very Strong - excellent protection

Understanding Entropy

Entropy measures the unpredictability of a password in bits. It is calculated by multiplying the password length by the log-base-2 of the character pool size. A password using only lowercase letters (26 characters) has less entropy per character than one that also includes uppercase, digits, and symbols (95 characters).

For reference, a 12-character password using all character types has approximately 79 bits of entropy, which would take billions of years to crack with current hardware. A password of the same length using only lowercase letters has about 56 bits, which is significantly weaker. The minimum recommended entropy for important accounts is 60 bits, and 80+ bits is considered very strong.

Crack Time Estimates

The estimated crack time assumes an attacker performing 10 billion guesses per second, which represents a high-end GPU cracking rig. The calculation divides the total number of possible combinations (2 raised to the power of entropy bits) by the guess rate, then takes the average case (half the total).

These estimates are for offline brute-force attacks where the attacker has a password hash. Online attacks are much slower because servers limit login attempts. The estimates do not account for targeted attacks, social engineering, or password reuse across sites. Treat the crack time as a relative measure: "Millions of years" means the password is computationally infeasible to crack with current technology.

Common Password Detection

The tool checks your password against a curated list of frequently breached passwords collected from public data breach disclosures. Passwords like "password123," "qwerty," "iloveyou," and "letmein" appear in millions of breached records. Attackers try these passwords first because they work far more often than random strings.

If your password matches a known common password, the strength score is capped at the lowest tier regardless of its length or character variety. A 20-character password that happens to be a common phrase is no more secure than a 4-character one in practice, because attackers maintain dictionaries of known passwords and test them before starting brute-force attempts.

Tips for Creating Strong Passwords

The most effective passwords combine length with randomness. A passphrase of four or more random, unrelated words (like "correct horse battery staple") provides high entropy while remaining memorable. Adding a number and symbol between words increases the pool size further.

Avoid personal information like birthdays, pet names, or addresses. Avoid keyboard patterns like "qwerty" or "asdfgh." Avoid simple substitutions like "p@ssw0rd" since attackers know these patterns. Use a different password for every account, and store them in a password manager. Enable two-factor authentication on all accounts that support it for an additional layer of protection beyond the password itself.

Frequently Asked Questions

Is my password sent to a server for checking?
No. All analysis happens locally and privately. The password is never transmitted over any network, never stored in any database, and never logged.
What does "entropy" mean for passwords?
Entropy is a measure of randomness expressed in bits. Higher entropy means more possible combinations an attacker must try. A password with 80 bits of entropy has 2^80 possible combinations (over 1.2 septillion), making it computationally infeasible to crack by brute force with current technology.
Why is my long password rated as weak?
Length alone does not guarantee strength. If the password is a common phrase, a dictionary word, or uses only one character type (all lowercase, for example), the score will be penalized. Mix character types and avoid recognizable words or patterns for the best rating.
How many guesses per second can attackers make?
The estimate uses 10 billion guesses per second, which represents a high-end GPU cracking setup targeting password hashes offline. Online attacks are limited to perhaps a few hundred attempts per second due to rate limiting. The offline rate represents the worst-case scenario.
What makes a password "common"?
A password is common if it appears in public databases of breached credentials. Lists like "rockyou.txt" contain millions of real passwords exposed in data breaches. Attackers use these lists as their first attack vector because they succeed against a significant percentage of accounts.
Is a longer password always better?
Generally yes, but only if the additional length adds randomness. "aaaaaaaaaaaaaaaa" is 16 characters but trivially easy to guess. "Kj7$mP2@vL8n" is shorter but far more secure because each character is unpredictable. Combine length with character variety for the best results.
Should I use a passphrase instead of a password?
Passphrases of four or more random, unrelated words are excellent because they provide high entropy while remaining easier to remember than random character strings. Choose words randomly rather than from a meaningful sentence. Adding numbers or symbols between words makes them even stronger.
U

Reviewed by the UtilHQ Team

Our tools are verified for accuracy. Results are estimates for planning purposes.