Skip to main content
toolk.site

Password Strength Meter — Free, Offline Entropy Checker

Type a password to get its Shannon entropy in bits, a 0–4 strength score, detected weakness patterns, and crack-time at four attack speeds. Runs 100% in your browser — free, no network calls.

Enter a password to analyze it.

Real Shannon Entropy

Charset size × length, then penalized for keyboard runs, repeated chars, sequential runs, leet substitutions, and year suffixes — the same heuristics used by professional security audits.

Breach-Corpus Lookup

Instant blacklist check against the ~120 most common passwords from rockyou and HIBP aggregate. If your password is there, no length or charset can save it.

Four Attack Speeds

See crack-time estimates at: online throttled (100/h), online unthrottled (10/s), offline slow hash (10K/s bcrypt), and offline fast hash (10B/s SHA-1 GPU).

Strictly Offline

No HIBP API call, no network request, no analytics ping. Pattern matching, entropy math, and breach checks all run in your browser. Safe for real credentials.

Password Strength Meter: Entropy, Patterns, and Crack-Time

A password strength meter estimates how hard a password is to guess. This one computes Shannon entropy in bits, subtracts penalties for weak patterns (keyboard runs, sequences, repeats, year suffixes, leet-substituted dictionary words), checks the most common breached passwords, and reports a 0–4 score plus crack-time at four attack speeds. It runs 100% in your browser — free, no upload.

How to check password strength

  1. Type or paste a password into the input above — analysis updates as you type, with nothing sent anywhere.
  2. Read the 0–4 score and its label (Risky, Weak, Fair, Strong, Excellent).
  3. Check the entropy in bits — aim for 60+ for everyday accounts, 100+ for high-value ones.
  4. Review the detected issues list: each flagged pattern (keyboard run, repeat, leet word, short length) is a concrete fix.
  5. Scan the four crack-time rows; the offline fast-hash figure is the worst case if a database leaks.
  6. If the score is 3 or below, generate a replacement with the Password Generator and recheck it here.

What is password entropy and how does scoring work?

Password entropy is the Shannon entropy of the password, measured in bits: E = L × log₂(R), where L is length and R is charset size. This tool detects four classes — lowercase (+26), uppercase (+26), digits (+10), symbols (+33) — so a mixed all-class password draws from R = 95. Each extra character adds log₂(R) bits; each bit doubles the guesses an attacker needs.

Raw entropy alone overrates human-chosen passwords, so the meter follows the zxcvbn approach — estimate strength the way a cracker would — and subtracts bits for patterns: keyboard runs −10, leet-matched word −12, sequential or repeated runs −6 each, trailing 4-digit year −4, and −3 per character under 8. The penalized total maps to a score: under 28 bits = 0, 28–35 = 1, 36–59 = 2, 60–99 = 3, 100+ = 4. An exact breach match caps the score at 0 regardless of length.

"Verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised."NIST SP 800-63B, Digital Identity Guidelines, which sets an 8-character minimum and recommends supporting up to 64.

Worked examples: password → score

correct horse · 13 chars, lowercase + space

R = 26 letters + symbol class for the space, so ~13 × log₂(59) ≈ 76 bits → score 3. Length carries it even with no digits or capitals.

Tr0ub4dor · 9 chars, all classes but a dictionary base

Raw entropy looks fine (~59 bits), but un-leeting hits a word and the meter flags it → typically score 1–2. Complexity theatre, not real strength.

Edge case · leet detector is exact, not fuzzy

The penalty fires only when the fully un-leeted string equals a blacklist entry. P@ssw0rd scores 0 because its lowercase form p@ssw0rd is literally in the list — the blacklist branch catches it before entropy is weighed. But the un-leet map only covers @ 4 3 ! 1 0 $ 5 7; substitutions like 8→b or 2→z are not reversed, so Pa$$w8rd can slip past the dictionary check.

Entropy and crack-time reference

Offline crack times below assume the meter's fast-hash speed (10¹⁰ guesses/second, SHA-1 on a single high-end GPU). Times scale linearly with attacker hardware.

Password ProfileEntropy (bits)ScoreOffline GPU Crack Time
password0 (in corpus)0instant
Summer2024!~281under 1 second (rule attack)
8 random lowercase~372~14 seconds
12 random mixed case + digits~713~80 years
16 random all-class~1044far beyond a human lifetime

Why an exact blacklist beats a clever pattern check

This meter ships exactly ~120 passwords for its instant O(1) blacklist — a deliberate, honest limit, not a full corpus. The full RockYou2024 compilation holds nearly 10 billion passwords — far too large to ship to a browser, and querying it would need a network call this tool refuses to make. So a 16-character random string and a 16-character keyboard walk both look long, but the walk loses 10 entropy bits and the random one keeps all of them.

The real gotcha: an exact breach match wins instantly. p@ssw0rd caps at score 0 not because of the symbol or the digit, but because the literal string sits in the blacklist. Length and charset cannot rescue a password that an attacker already has on a list — which is why NIST tells verifiers to screen against breach corpora before trusting any complexity rule.

Runs 100% in your browser

Your password never leaves your device. Pattern detection, the entropy math, the breach lookup, and all four crack-time estimates run locally in JavaScript — no HTTP requests, no HIBP API call, no analytics tied to your input. That is the only safe way to test a real, in-use password online. I checked the meter against literal blacklist entries, leet variants like P@ssw0rd, keyboard walks (qwertyuiop), pure 16-character random strings, and the empty input, confirming the score, bit count, and issue list behave as the source code describes.

Frequently asked questions

Is this password strength meter free?

Yes — 100% free, no signup, no usage cap. Every check is unlimited and runs entirely in your browser.

Does my password get sent to a server?

No. The entire analysis runs in JavaScript on your device — no HTTP requests, no HIBP call. It works offline once the page loads.

Why does "P@ssw0rd" score 0?

Because its lowercase form, p@ssw0rd, is a literal blacklist entry, so it caps at 0 before entropy is weighed. Mixed case and a symbol do not help once a password is on a breach list.

How long should a password be?

Use 12+ random characters for everyday accounts and 16–20+ for high-value ones. Length beats complexity: entropy scales linearly with length but only logarithmically with charset size.

Related security & developer tools

Password Generator

Create random score-4 passwords

Hash Generator

SHA-256 digests, bcrypt prep

HMAC Generator

Keyed message authentication codes

UUID Generator

Unguessable tokens & API secrets

Random Number Generator

Cryptographically random integers

Number Base Converter

Hex, binary & decimal for hashes

QR Code Generator

Share TOTP and Wi-Fi secrets

HTTP Status Codes

401 vs 403 auth reference

Cron Expression Builder

Schedule rotation reminders

All Tools

Browse the full toolk hub

Guide: Strong Passwords

Why length beats complexity

Guide: Hashing vs Encryption

How passwords get stored safely

Last updated: June 2, 2026 · Runs 100% in your browser — no uploads, nothing leaves your device.

Need a different tool?

Browse all 89 free, in-browser tools — or tell us what we should build next.

Browse all tools