Password Strength Checker & Generator
Check any password's entropy and estimated time-to-crack, then generate a properly random replacement. Everything runs locally in your browser — nothing is transmitted or stored.
How strong is your password?
Estimate assumes a random password and an offline attack at 10 billion guesses/second. Passwords based on dictionary words, names, or reuse fall much faster. Use a password manager and unique passwords per site.
Generate a strong password
How password strength is measured
Strength is measured in bits of entropy: length × log₂(alphabet size). A 10-character lowercase password has ~47 bits; adding uppercase, digits, and symbols pushes the same length to ~65 bits; and every extra character adds more than any character-set trick. That's why length beats complexity — a 16-character password is out of reach for brute force even if it's just lowercase words, provided it's random.
The crack-time estimate here assumes an offline attacker at 10 billion guesses per second (a modern GPU rig against a weak hash). Online attacks are millions of times slower; leaked-database attacks against unsalted MD5 are faster.
What actually keeps accounts safe
Real-world breaches rarely brute-force strong passwords — they exploit reuse. One leaked password gets tried everywhere (credential stuffing). The defense stack, in order: a unique random password per site (use a password manager), two-factor authentication on anything important, and passkeys where offered. A strong master password of 4–6 random words (~77+ bits) protects the manager itself.
Frequently asked questions
How long should a password be in 2026?
16+ characters for anything important. NIST guidance emphasizes length over complexity rules; 12 characters is a floor, and password-manager-generated 20+ character passwords are the practical standard.
Is this checker safe to use?
Yes — the check runs entirely in your browser with JavaScript. No password, keystroke, or result is sent to any server. You can verify by loading the page and disconnecting from the internet.
What is password entropy?
A measure of unpredictability in bits: each bit doubles the guesses an attacker needs. 40 bits falls in minutes to offline attacks, 60 bits in months, and 80+ bits is effectively uncrackable by brute force.
Are passphrases better than complex passwords?
Four to six random dictionary words ("correct horse battery staple" style) reach 50–77+ bits while staying memorable. Randomness is the key — a quote or lyric is far weaker than random words.
This tool provides estimates for educational purposes only and does not constitute professional advice.