Password Strength Checker
Analyze password strength with entropy calculation, pattern detection, and actionable suggestions
Your company’s security policy requires passwords with at least 80 bits of entropy. Or you’re building a registration form and want to show users how strong their password is. This tool analyzes password strength using information-theoretic entropy, character set detection, and common password matching — entirely in your browser.
What Is Password Entropy?
Password entropy measures the unpredictability of a password in bits. Higher entropy means more guesses are required to crack the password by brute force.
The formula is: entropy = log₂(character_set_size^password_length) = password_length × log₂(character_set_size)
For a password using only lowercase letters (26 characters) with 8 characters: 8 × log₂(26) ≈ 37.6 bits. A password using lowercase + uppercase + digits + symbols (95 characters) with 12 characters: 12 × log₂(95) ≈ 78.8 bits.
NIST SP 800-63B recommends a minimum of 8 characters for user-chosen passwords; security professionals typically recommend targeting 60+ bits of entropy for sensitive accounts.
How Strength Is Evaluated
This tool evaluates passwords across multiple dimensions:
Entropy — calculated from the detected character set and password length. Rated: Very Weak (<28 bits), Weak (28–35), Fair (36–59), Strong (60–79), Very Strong (80+).
Character diversity — does the password use lowercase, uppercase, digits, and symbols? Using all four character classes multiplies the effective search space.
Common password check — a list of the most commonly used passwords is checked against your input. Common passwords like “password123” are extremely weak regardless of length.
Pattern detection — sequential characters (abc, 123), keyboard patterns (qwerty), repeated characters (aaa), and dictionary words reduce effective entropy.
Frequently Asked Questions
Why doesn’t a longer password always mean stronger? Length helps, but patterns negate it. “aaaaaaaaaaaaaaaaa” (17 a’s) has very low entropy because an attacker would try repeated-character patterns. A truly random 12-character password is stronger.
What entropy level is sufficient? For most accounts: 60+ bits (Strong). For sensitive accounts (banking, email, password manager master): 80+ bits (Very Strong). NIST SP 800-63B guidance for memorized secrets suggests minimum 8 characters but focuses on blacklisting common passwords.
Does this tool send my password anywhere? No. All analysis runs entirely in your browser. No password data is sent to any server.
What is zxcvbn? zxcvbn is Dropbox’s password strength estimator that uses pattern matching and a dictionary. This tool implements a similar approach with entropy calculation, pattern detection, and common password matching.