🔐 Password Strength & Crack-Time Estimator
Type a password to see its real-time strength score, estimated crack time, and detailed improvement tips — powered by an advanced client-side algorithm.
How This Password Strength Analyzer Works
This tool uses an advanced client-side algorithm inspired by Dropbox's zxcvbn library to evaluate password strength without sending your password anywhere. The analysis engine evaluates the password across multiple dimensions:
- Brute-force entropy (Shannon): Calculates the information-theoretic entropy based on the effective character set size and password length. Longer passwords with mixed character types (uppercase, lowercase, digits, symbols) have exponentially more entropy.
- Pattern matching: Detects common patterns like sequential characters ("abcdef", "12345"), repeated characters ("aaa111"), keyboard patterns ("qwerty", "asdfgh"), and common substitutions ("p@ssw0rd"). These patterns dramatically reduce effective entropy.
- Dictionary attack simulation: Checks against a built-in list of 10,000+ common passwords from known breaches (RockYou leak, SecLists). Any password found in these lists receives the lowest possible score regardless of length or complexity.
- Leet-speak and substitution detection: Recognises common character substitutions (e.g., "@" for "a", "3" for "e", "0" for "o", "$" for "s") and evaluates the base word rather than the obfuscated version.
- Scoring formula: 0 (very weak) to 4 (very strong). The score is derived from a logistic function of the estimated crack time.
Estimated Crack Times
The crack-time estimates model an offline attacker with consumer-grade hardware capable of 10 billion guesses per second (10¹⁰ guesses/sec), which represents a realistic threat model:
- Score 0 (Very Weak): Cracked in under 1 second — instantly compromised.
- Score 1 (Weak): Cracked in under 1 minute.
- Score 2 (Fair): Cracked in under 1 hour.
- Score 3 (Strong): Cracked in under 1 year.
- Score 4 (Very Strong): Would take centuries or longer — effectively uncrackable.
Key Benefits vs. Other Password Checkers
- Absolute privacy: Unlike cloud-based password checkers, this tool runs entirely in your browser. Your passwords — including the ones you're testing — never leave your device.
- Comprehensive pattern analysis: Most basic checkers only look at length and character variety. This tool detects keyboard patterns, repeated characters, common substitutions, and dictionary words.
- Actionable feedback: Instead of just showing a score, the tool provides specific suggestions for improvement — telling you exactly why your password is weak and how to fix it.
Frequently Asked Questions
Does this tool store or transmit my password?
Absolutely not. The entire analysis — including dictionary lookups against a list of 10,000+ common passwords — runs client-side in your browser. Your password never touches a server, is never logged, and is never stored. Close the page and it's gone forever.
Is a 4/4 score guarantee my password is safe?
No score can guarantee safety against all attack vectors. A 4/4 score means the password is highly resistant to offline brute-force and dictionary attacks. However, other threats exist: phishing, keyloggers, credential stuffing from breaches on other sites where you reuse the same password, and social engineering.
What makes a password score 4/4?
Passwords that score 4/4 typically have: 16+ characters, a mix of uppercase, lowercase, digits, and symbols, no recognisable dictionary words or common patterns, and no sequential characters or repetitive patterns. A passphrase of 5+ random words also scores 4/4 due to high entropy.