Password Strength Checker

You came up with a password you're proud of, and you want a second opinion before committing to it on an account that matters. Most strength meters online are toy implementations that mainly check length and character classes — easy to fool with predictable patterns like "P@ssw0rd123!" which meets every checkbox.

This checker estimates entropy, looks for common dictionary patterns, and accounts for the substitutions attackers know about (zero for o, three for e, dollar sign for s). The result is a rough estimate of how long an attacker would need to guess your password — somewhere between offline cracking with a fast GPU rig and online attempts against a rate-limited login. Nothing leaves your browser, but as a habit, never type a real password into a web tool, including this one.

The entropy calculation: log base 2 of the search space size. A truly random 8-character lowercase password has 26^8 ≈ 2 × 10^11 possible values, or about 38 bits. Adding numbers and symbols pushes the search space larger, but only if the password is actually drawn randomly from the wider set. Most user-chosen passwords have far less effective entropy than the raw character-class math suggests because humans pick predictable patterns. The checker uses a zxcvbn-style approach: it tokenizes the password into recognizable patterns (dictionary words, dates, keyboard runs, common substitutions), estimates how many guesses each pattern adds, and reports the combined estimate. "correcthorsebatterystaple" — five common words — has roughly 50 bits of entropy if drawn randomly from a list of 8000 words; that's stronger than "Tr0ub4dor&3" which has maybe 30 bits because the structure is well-known to crackers.

A worked example: paste in "summer2024". The checker recognizes "summer" as a top-100 dictionary word and "2024" as a recent year — both are in standard cracking dictionaries. Estimated entropy: about 12 bits. Estimated time to crack offline: under a second on a modern GPU. Now paste "correcthorsebatterystaple". Estimated entropy: ~44 bits. Time to crack: years on the same GPU rig. The length difference is misleading; the entropy difference is what matters. Paste "P@ssw0rd!2024" and you'll see another low score — the leetspeak substitution gains almost no entropy because crackers test that variant automatically.

The limitations: entropy estimates are upper bounds, not floors. Sophisticated attackers use targeted dictionaries (your social media history, leaked password databases, known breaches involving your other accounts) that can crack even high-entropy passwords if they're tied to your identity. The single best protection is unique passwords per account using a password manager, which sidesteps the human-tendency problem entirely. The strength of any individual password matters less than not reusing it across sites; reuse is the actual attack vector for most breaches. If you're rolling your own passwords for memorability reasons, use a passphrase of 5+ random words, not a clever-looking jumble of letters and numbers.