How to Check Password Strength
Type or paste a password into the input field. The tool analyzes your password in real time as you type — there is no button to press. Each character you add triggers a fresh analysis, so you can watch the strength score improve as you build a stronger password.
Read the strength score and label displayed below the input. The tool rates passwords on a scale from 0 (very weak) to 4 (very strong) using the zxcvbn algorithm developed by Dropbox. Each score maps to a descriptive label: 0 = Very Weak, 1 = Weak, 2 = Fair, 3 = Strong, 4 = Very Strong. A visual meter fills and changes color to reflect the current strength level.
Check the estimated crack time displayed alongside the score. The tool estimates how long it would take an attacker to crack your password using an offline brute-force attack against a slow hash (like bcrypt). Estimates range from 'instant' for trivially weak passwords to 'centuries' for strong ones. This gives you a concrete, intuitive sense of how secure your password really is.
Review the detailed feedback and suggestions below the crack time estimate. The algorithm detects specific weaknesses in your password — common words, keyboard patterns (qwerty, 123456), repeated characters, dates, and names — and provides actionable suggestions for improvement. Use these suggestions to strengthen your password until it reaches a score of 3 or 4.
Why Check Your Password Strength?
- Powered by the zxcvbn algorithm — developed by Dropbox's security team, it evaluates passwords based on real-world attack patterns, not simplistic rules
- Realistic crack time estimates — calculates how long an offline attack would take against bcrypt, accounting for GPU-accelerated hardware speeds
- 100% local processing — your password never leaves your browser, never touches a server, and is never stored or logged anywhere
- Pattern detection — identifies dictionary words, keyboard sequences, repeated characters, l33t substitutions, dates, and common passwords
- Specific improvement suggestions — instead of generic rules, the tool tells you exactly what weakness it found and how to fix it
- No signup, no rate limits — test as many passwords as you want, completely free
- Verify with DevTools — open the Network tab to confirm zero outbound requests while using the tool
Frequently Asked Questions
What makes a password strong?
Password strength comes from three factors: length, randomness, and uniqueness. Longer passwords are exponentially harder to crack — each additional character multiplies the number of possible combinations. Randomness means avoiding dictionary words, names, dates, keyboard patterns, and common substitutions (like @ for a). Uniqueness means using a different password for every account so a breach on one site doesn't compromise others. NIST Special Publication 800-63B recommends emphasizing length over complexity rules, suggesting passwords of at least 8 characters with no arbitrary composition requirements (like mandatory special characters).
How is password crack time estimated?
The crack time estimate is based on the password's entropy (the number of possible guesses needed) divided by an assumed attack speed. The zxcvbn algorithm calculates entropy by identifying the patterns in your password (dictionary words, sequences, repeats, keyboard patterns) and computing how many guesses an attacker would need to find it. The attack speed assumes a realistic offline scenario: an attacker with hashed passwords running GPU-accelerated brute-force attacks. Slow hashing algorithms like bcrypt reduce attack speed dramatically compared to fast hashes like MD5.
Source: Dropbox Tech Blog — zxcvbn: Realistic Password Strength Estimation
Is it safe to type my real password into an online checker?
With this tool, yes. All password analysis runs entirely in your browser using JavaScript. The zxcvbn library is loaded as a local script and performs all pattern matching and entropy calculations on your device. No password, score, or feedback data is ever transmitted over the network. You can verify this yourself: open your browser's DevTools (F12), switch to the Network tab, clear it, then type a password — no outbound requests will appear. However, be cautious with other online password checkers that may send your input to their servers.
What is the zxcvbn password strength algorithm?
zxcvbn is a password strength estimation library created by Dan Wheeler at Dropbox in 2012. Unlike traditional strength meters that count character types (uppercase, numbers, symbols), zxcvbn models how real attackers crack passwords. It searches for patterns that an attacker's dictionary and rule sets would exploit: English words, common passwords, names, dates, keyboard patterns (qwerty, zxcvbn itself), l33t substitutions, and repeated or reversed sequences. By matching these patterns, zxcvbn provides a realistic guess count and a score from 0 to 4. The algorithm is open-source and has been adopted by many major websites.
Source: Dropbox Tech Blog — zxcvbn: Realistic Password Strength Estimation
What does NIST recommend for passwords in 2024?
NIST Special Publication 800-63B (Digital Identity Guidelines) recommends several evidence-based password practices that differ from older conventional wisdom: (1) Emphasize length over complexity — longer passwords are stronger than short passwords with forced special characters. (2) No mandatory password rotation — forced periodic changes lead to weaker passwords as users make minimal incremental changes. (3) No composition rules — requiring uppercase, numbers, and symbols does not meaningfully improve security and frustrates users. (4) Screen against breached password lists — check new passwords against known compromised password databases. (5) Allow all printable characters including spaces. These guidelines prioritize usability alongside security, recognizing that overly restrictive rules lead to predictable workarounds.
By UtilDaily · Updated \u2014 free, privacy-first browser tools. No sign-up, no data collection.