Password Strength Checker -- Entropy & Crack Time

Check Your Password Strength

This password strength checker analyzes entropy, character diversity, estimated brute-force crack time, and checks against the 200 most commonly leaked passwords. It also detects keyboard patterns, repeated characters, and sequential sequences. All processing happens in your browser — your password is never sent to any server.

Enter a Password

Strength: —

How Password Strength Is Calculated

Password strength is measured by entropy, expressed in bits. Entropy estimates how many guesses an attacker would need to try every possible combination.

The formula is: entropy = length × log₂(charset size)

A password using only lowercase letters (26 characters) has less entropy per character than one also using uppercase (52), digits (62), and symbols (94+). Longer passwords with diverse characters are exponentially harder to crack.

Entropy Examples

Password Type	Length	Charset	Entropy (bits)	Brute-force Time*
Lowercase only	8	26	~37.6	~2 minutes
Mixed case	8	52	~45.6	~10 hours
Mixed + digits	10	62	~59.5	~18 years
All types	12	94	~78.7	~9.6 billion years
All types	16	94	~104.9	~6.4 × 10²² years

*Assuming 1 billion guesses per second (offline attack with modern GPU). Real-world attacks also use dictionaries and patterns, which can crack weak passwords much faster.

Most Common Passwords

Analysis of billions of leaked credentials from real data breaches reveals that a small number of passwords appear over and over. This tool checks against the 200 most commonly leaked passwords. Here are the top 20:

#1 123456

#2 password

#3 123456789

#4 12345678

#5 12345

#6 qwerty

#7 abc123

#8 111111

#9 1234567

#10 password1

#11 1234567890

#12 123123

#13 000000

#14 iloveyou

#15 1234

#16 dragon

#17 monkey

#18 letmein

#19 sunshine

#20 princess

Approximately 1 in 100 accounts uses one of the top 20 passwords. These passwords are tried first in any attack and are cracked instantly — regardless of the character types they contain. If your password appears on a common list, change it immediately.

Patterns That Weaken Passwords

Beyond common passwords, this tool detects structural patterns that make passwords easier to crack. Attackers use rule-based engines that test these patterns automatically:

Keyboard walks: Sequences that follow keyboard layout — qwerty, asdfgh, zxcvbn, qwertyuiop. These appear in every password-cracking dictionary.
Sequential characters: Ascending or descending sequences like abcdef, 123456, or 987654. Easily generated by rule engines.
Repeated characters: Passwords consisting mostly of one repeated character — aaaaaa, 111111, 000000. Extremely low effective entropy.
Common substitutions: Predictable character swaps like a→@, e→3, s→$, o→0. Cracking tools test these as standard mutations. P@$$w0rd is not meaningfully stronger than password.

When this tool detects these patterns, it adjusts the strength rating downward and shows a specific warning. The entropy score still reflects the theoretical maximum — but the warning tells you the password is weaker in practice.

What Makes a Password Weak

Entropy assumes random passwords. Real passwords are often predictable. Common weaknesses include:

Dictionary words: "sunshine", "football", "welcome" appear in every password dictionary
Predictable substitutions: "P@ssw0rd" and "h3llo" are well-known patterns attackers check early
Keyboard walks: "qwerty", "asdfgh", "zxcvbn" are among the first guesses
Personal information: Names, birthdays, and pet names are easy to research
Short passwords: Anything under 8 characters can be brute-forced in minutes on modern hardware
Reused passwords: If one account is breached, all accounts sharing that password are compromised

How to Create a Strong Password

Two reliable approaches:

1. Random Character Password

Use a password generator to create a random string of 14+ characters with mixed types. Example format:

kX9#mQ2$vL7@nR — 14 characters, ~91 bits of entropy.

Downside: hard to memorize. Best paired with a password manager.

2. Random Passphrase (Diceware Method)

Pick 4–6 words randomly from a large word list. Example:

correct horse battery staple — 4 words from a 7,776-word list ≈ 51 bits of entropy.

timber knack plume oyster crank — 5 words ≈ 64 bits of entropy.

Easier to remember, still strong. The words must be truly random — not a sentence that makes sense.

General Rules

Use a unique password for every account
Use a password manager to store them
Enable two-factor authentication where available
Never share passwords over email or messaging

Frequently Asked Questions

How is password strength measured?

Password strength is measured by entropy (in bits). Entropy combines two factors: the size of the character set (lowercase, uppercase, digits, symbols) and the password length. Higher entropy means exponentially more possible combinations. A password with 60+ bits of entropy is generally considered strong against brute-force attacks.

How long would it take to crack my password?

Crack time depends on the attack method and hardware. This tool assumes 1 billion guesses per second, which is realistic for offline attacks with modern GPUs. An 8-character lowercase password can be cracked in minutes. A 16-character mixed password could take millions of years. However, real-world attacks also use dictionaries and leaked password lists, so common passwords are cracked much faster regardless of length.

Is 12 characters enough for a strong password?

12 characters is a reasonable minimum if you use a mix of character types (uppercase, lowercase, digits, symbols). That combination yields roughly 79 bits of entropy. If the password is a common phrase or dictionary word, length alone does not help. A random 12-character mixed password is far stronger than a 20-character password like "passwordpasswordpass".

What is password entropy?

Entropy measures the unpredictability of a password in bits. The formula is: length × log₂(charset size). For example, an 8-character password using only lowercase letters (26 possible characters) has about 37.6 bits of entropy. The same length using all printable ASCII (95 characters) has about 52.6 bits. Each additional bit doubles the number of possible combinations.

Are passphrases stronger than random passwords?

A passphrase of 4–6 randomly chosen words can be both strong and memorable. A 4-word passphrase from a 7,776-word list provides about 51 bits of entropy; 5 words ≈ 64 bits; 6 words ≈ 77 bits. The critical requirement is that the words are randomly selected — not a meaningful sentence you composed.

Why are common passwords weak even if they meet complexity rules?

Attackers use dictionaries of millions of known passwords, leaked credentials, and common patterns. Passwords like "P@ssw0rd!" or "Qwerty123!" are tried early in any real attack, making them crackable in seconds. True strength comes from randomness, not from predictable substitutions.

Should I use a password manager?

A password manager generates and stores unique random passwords for every account. This eliminates password reuse — a major risk factor — and removes the need to memorize complex strings. You only need one strong master password or passphrase.

Does this tool check against leaked password lists?

Yes. This tool checks your password against a built-in list of the 200 most commonly leaked passwords from real data breaches. If your password matches one of these, you will see a clear warning regardless of its theoretical entropy score. The checking happens entirely in your browser — your password is never sent to any server.

What are the most common passwords?

According to analysis of billions of leaked credentials, the most common passwords include: 123456, password, 123456789, 12345678, qwerty, abc123, 111111, password1, and iloveyou. About 1 in 100 accounts uses a top-20 password. These are cracked instantly in any attack.

Does this tool detect keyboard patterns?

Yes. The tool detects keyboard walks (qwerty, asdfgh, zxcvbn), sequential characters (abcdef, 123456), and repeated characters (aaaaaa, 111111). When patterns are found, the strength rating is adjusted downward and a specific warning is displayed.

Does this tool send my password anywhere?

No. All analysis runs in your browser using JavaScript. Your password never leaves your device. The common password list and pattern detection all run locally. You can disconnect from the internet and the tool works identically.

Privacy & Limitations

Client-side only. No data is sent to any server. No cookies, no tracking of passwords entered. The common password list and all pattern detection run entirely in your browser.
Common password list is limited. This tool checks against the top 200 most commonly leaked passwords. A real-world breach database contains billions of entries. Not appearing on this list does not mean a password is not in a breach. For a comprehensive check, use a service like Have I Been Pwned (which uses k-anonymity to check without exposing your password).
Entropy is theoretical. The estimate assumes a truly random password. When patterns are detected, the tool warns you, but effective entropy for patterned passwords is lower than the calculated value.
Crack time is an estimate. Based on 1 billion guesses/second (offline GPU attack). Actual times vary with hardware, attack method, and whether the password appears in leaked databases.
Not a guarantee. A "strong" rating does not guarantee account security. Use unique passwords, a password manager, and two-factor authentication.

Related Tools

Password Generator — generate random, strong passwords with custom length and character options
Hash Generator — create MD5, SHA-1, SHA-256, and SHA-512 hashes from any text
Bcrypt Generator — hash passwords with bcrypt for secure storage
Random String Generator — generate random strings for tokens, keys, and identifiers
Password Strength & Entropy Explained — learn how entropy works and what actually makes a password secure

Related Tools

View all tools

ASCII Table

ASCII codes with decimal, hex, and character lookup

Decimal to Hex Converter

Convert decimal numbers to hexadecimal

UUID Generator

Generate random UUIDs instantly

Binary to Decimal Converter

Convert binary numbers to decimal

Base Converter

Convert numbers between bases 2 and 36

Data Size Converter

Convert between bytes, KB, MB, GB, and TB

Password Strength Checker FAQ

How is password strength measured?

Password strength is typically measured by entropy, expressed in bits. Entropy combines two factors: the size of the character set used (lowercase, uppercase, digits, symbols) and the password length. Higher entropy means more possible combinations an attacker must try. A password with 60+ bits of entropy is generally considered strong against brute-force attacks.

How long would it take to crack my password?

Crack time depends on the attack method and hardware. This tool estimates time assuming 1 billion guesses per second (a realistic rate for offline attacks with modern GPUs). A 8-character lowercase password can be cracked in minutes, while a 16-character mixed password could take millions of years. Real-world attacks also use dictionaries and patterns, so common words are cracked much faster regardless of length.

Is 12 characters enough for a strong password?

12 characters is a reasonable minimum if you use a mix of uppercase, lowercase, digits, and symbols. That combination yields roughly 79 bits of entropy. However, if the password is a common phrase or dictionary word, length alone does not help. A random 12-character password with mixed character types is far stronger than a 20-character password like 'passwordpasswordpass'.

Are passphrases stronger than random passwords?

A passphrase of 4-6 randomly chosen words (e.g., 'correct horse battery staple') can be both strong and memorable. A 4-word passphrase from a 7,776-word list provides about 51 bits of entropy; 5 words gives about 64 bits; 6 words gives about 77 bits. The key is that the words must be randomly selected, not a meaningful sentence.

Does this tool send my password to a server?

No. All analysis runs entirely in your browser using JavaScript. Your password is never transmitted over the network. You can verify this by disconnecting from the internet and using the tool offline.

What is password entropy?

Entropy measures the unpredictability of a password in bits. It is calculated as length × log₂(charset size). For example, an 8-character password using lowercase letters (26 characters) has about 37.6 bits of entropy. The same length using all printable ASCII characters (95 characters) has about 52.6 bits. More entropy means exponentially more guesses required to crack the password.

Why are common passwords weak even if they meet complexity rules?

Attackers use dictionaries of millions of known passwords, leaked credentials, and common patterns (like 'P@ssw0rd!' or '123456'). These are tried first in any real attack, making them crackable in seconds regardless of their character diversity. True strength comes from randomness, not from predictable substitutions.

Does this tool check against known leaked passwords?

Yes. This tool checks your password against a built-in list of the 200 most commonly leaked passwords from real data breaches. If your password matches one of these, you will see a warning regardless of its theoretical entropy score. All checking happens in your browser — your password is never sent to any server.

What are the most common passwords?

According to analysis of billions of leaked credentials, the most common passwords include 123456, password, 123456789, 12345678, qwerty, abc123, 111111, password1, and iloveyou. These passwords are tried first in any attack and are cracked instantly. Approximately 1 in 100 accounts uses one of the top 20 most common passwords.

Should I use a password manager?

A password manager generates and stores unique random passwords for every account. This is widely recommended by security professionals because it eliminates password reuse (a major risk factor) and removes the need to memorize complex strings. You only need to remember one strong master password or passphrase.