Free & Private
Password Strength
Analyze your password instantly. Pattern-based analysis, not just character counting. Runs locally in your browser.
Type a password above to see your analysis
What Makes a Strong Password
- Use 16 or more characters. Length is the single most impactful factor. Every additional character multiplies the number of possible combinations an attacker has to try.
- Avoid predictable patterns. Dictionary words, names, dates, keyboard walks (qwerty, 12345), and l33t-speak substitutions (p@ssw0rd) are all in attackers' wordlists. zxcvbn catches these.
- Mix character types. Combining uppercase, lowercase, numbers, and symbols expands the search space an attacker must cover, especially when done randomly rather than predictably.
- Never reuse passwords. Even a strong password becomes a liability if the service storing it is breached. A unique password per account means one breach doesn't cascade into all your accounts.
- Use a password manager to generate and store truly random passwords — no memorization required. Compare password managers →
How This Tool Works
Your password is designed to stay in your browser. The analysis runs entirely in JavaScript on your device. No keystroke, no character, no result is transmitted to our servers or any third party. You can verify this in your browser's developer tools: open the Network tab (F12 → Network) and type a password. You should see no outgoing requests.
Powered by zxcvbn. We use the open-source zxcvbn-ts library, a TypeScript port of Dropbox's zxcvbn. It uses pattern matching and frequency lists to estimate crack time realistically, rather than applying arbitrary rules about "must include a number."
Crack time is an estimate. The "offline slow hashing" scenario assumes an attacker with your hashed password and a machine making 10,000 guesses per second against a slow hash function (bcrypt, scrypt, or Argon2). Against a faster hash (MD5, SHA-1), the crack time could be a trillion times shorter. The estimate is realistic for well-configured systems but not a guarantee.
No cookies, no analytics on your input. Our analytics (Plausible CE) only sees that you visited this page — not what you typed. Plausible is cookie-free and privacy-respecting by design.