Check how strong a password really is. Uses the same zxcvbn analysis password managers rely on to estimate realistic crack times, spot dictionary words, keyboard patterns and reused sequences, and suggest concrete improvements.
Everything runs locally in your browser. Your data never leaves your device.
Analyzed as you type. The password is kept in memory only and is never stored.
Strength
Type a password above to see its score, realistic crack times and the patterns that weaken it.
About the Password Strength Checker Tool
This tool checks how strong a password really is. Type or paste a password and read its 0 to 4 score, realistic estimates of how long cracking would take, and exactly which parts an attacker would guess first. The analysis is zxcvbn, the estimator built at Dropbox that password managers and signup forms rely on.
Unlike a simple length-and-symbols rule, zxcvbn thinks like an attacker. It searches the password for dictionary words, common passwords from real leaks, names, dates, keyboard runs, repeats and sequences, then scores what remains. A colored map shows which characters each pattern covers, and concrete suggestions tell you how to fix the weak spots. It pairs well with the Password Generator, which creates passwords and can send one straight here for a check.
What you can do
Test password strength with the same zxcvbn analysis password managers use.
See realistic crack times for online and offline attacks, from throttled login forms to GPU rigs.
See exactly which characters of the password each weak pattern covers.
Get concrete suggestions for making the password stronger.
Check the guess count, length and character classes of a password.
How to use the Password Strength Checker
1Type or paste the password. It stays masked, use the eye button to reveal it.
2Read the score, the verdict and the crack-time estimates for the four attack scenarios.
3Check the matched patterns to see which parts an attacker would guess first.
4Apply the suggestions and watch the score improve as you edit.
How the score works
The score runs from 0 (guessed almost instantly) to 4 (safe even against fast offline attacks). zxcvbn splits the password into the cheapest combination of known patterns, estimates how many guesses an attacker needs to reach each one, and multiplies them together. A long password built from one common word and a year can score worse than a short truly random one, which is exactly how real cracking tools behave.
The guess count feeds four crack-time estimates. Online attacks go through a login form, at roughly 100 guesses per hour when the site throttles attempts and 10 per second when it does not. Offline attacks assume the attacker stole the password database, at about 10,000 guesses per second against a slow hash like bcrypt and 10 billion per second against a fast hash on GPUs. The honest answer to "is my password safe" is the offline fast hash number, because you never know how a site stores it.
What the matched patterns mean
Attackers do not brute force from "aaaa" upwards. They try leaked passwords, dictionary words, names, dates, keyboard walks like qwerty and simple sequences first, including reversed spellings and substitutions like p@ssw0rd. Every such pattern in your password collapses a huge search space into a few thousand guesses. The parts marked as having no pattern are the ones doing real work.
To create a password that scores well, generate a random one or a diceware passphrase with the Password Generator.
Credits
Open source does the heavy lifting in this tool. Thank you to:
Hash a password with bcrypt or Argon2 and verify a password against an existing hash. Tune the cost factor, memory, iterations and parallelism, see how long the hash takes, and read the parsed parts of any hash you paste.
Verify a checksum online: drop a file, paste the expected checksum and see instantly whether they match. The hash type is detected from the checksum itself, covering MD5, SHA-1, SHA-256, SHA-512, BLAKE3, CRC-32 and more, and sha256sum lines or whole checksum files can be pasted as-is.
Paste raw email headers to trace the Received chain hop by hop with per-hop delays, read the SPF, DKIM and DMARC results, and see every header explained. Helps you spot spoofing and find where a slow email got stuck.
Encrypt any file with a password using AES-256-GCM, or decrypt a file that was encrypted here. Strong key derivation and integrity protection built in.
Hash text or a file with MD5, SHA-1, SHA-256, SHA-512, SHA-3, BLAKE2, BLAKE3, CRC32 and more, all computed live as you type. Compare against an expected checksum and copy any digest.
Reveal the characters you can't see in a text: zero-width spaces, non-breaking spaces, bidi marks, control characters and CRLF versus LF line endings. Inspect every occurrence and clean them out with a click.