Password Strength Checker

Weak passwords remain the single most common entry point in modern breaches.

The 2025 Verizon Data Breach Investigations Report attributed the majority of web-application intrusions to stolen or guessable credentials, and credential-stuffing attacks using leaked password lists now number in the tens of billions per year. Knowing whether a password you are about to use is actually strong — not just long, not just a mix of character classes, but genuinely resistant to the guessing patterns attackers use — matters more than ever.

This password strength checker analyzes any password you type using the zxcvbn engine, originally developed by Dropbox and still the most widely-cited open-source password-strength library. It returns a score from 0 to 4, realistic crack-time estimates across four attack contexts (online throttled, online unthrottled, offline slow hash, offline fast hash), specific feedback on weaknesses, and custom checks for common passwords, sequential keyboard runs, and repeating characters. You can also opt in to a Have I Been Pwned lookup that uses k-anonymity to check the password against billions of known breached credentials without ever transmitting the password itself.

The entire analysis runs locally in your browser. Your password is not sent to any server. Even the HIBP check only transmits the first 5 characters of a SHA-1 hash — never the password, and never the full hash. This page explains how the tool works, how password strength is measured, what each crack-time estimate means, and how to build passwords that actually hold up in 2026.

How Password Strength Is Measured

Traditional strength meters count character classes — did you use uppercase, lowercase, digits, symbols? — and multiply by length. This approach is worse than useless. It rewards P@ssw0rd1! (which appears in every breach corpus) while punishing correct horse battery staple (which is cryptographically stronger by orders of magnitude). Character-class rules are a terrible proxy for guessability because real attackers don’t guess randomly; they guess intelligently, using dictionaries, leaked passwords, and pattern transformations.

The modern approach, which this tool uses, is guess-number estimation. Instead of scoring character classes, a good strength estimator asks: how many guesses would a reasonably smart attacker make before arriving at this password? That number is then converted to time, given a specific guessing rate. zxcvbn, the engine powering this checker, pattern-matches against English dictionaries, names, dates, keyboard walks, common l33t substitutions, and repeated sequences — then computes the approximate guess count by combining pattern probabilities. A password zxcvbn rates as score 4 requires more than 10^10 guesses to crack; score 0 requires fewer than 10^3.

Why zxcvbn Beats Simple Rules

zxcvbn was introduced by Dan Wheeler of Dropbox at USENIX Security 2016 and remains the reference-grade open-source strength estimator. Its key insight: password strength is only meaningful relative to a realistic attack model. A password made of random bytes is strong in an abstract sense, but a user-chosen password that merely contains random-looking transformations of common words is weak, because that transformation pattern is in every attacker’s rule-set.

The library ships with frequency-ordered lists of English words, first names, last names, Wikipedia-derived common terms, and a large slice of the RockYou breach corpus. When it scores your password, it tries to explain the password as a combination of these elements plus common patterns (years, dates, keyboard runs, repeated characters). It then estimates the total search space needed to find that explanation. The result is a guess count that maps closely to how professional password crackers like Hashcat actually attack real password databases.

Crack Time Estimates Explained

This tool reports estimated crack times in four contexts. The numbers below reflect rough 2026 hardware:

• Online throttled (100 guesses/hour). A well-defended login endpoint rate-limits failed attempts and locks accounts after a handful of misses. At 100 guesses per hour, even a modest password can outlast an attacker’s patience. This is the least-scary scenario.
• Online unthrottled (10 guesses/sec). A login endpoint that does not rate-limit is vulnerable to credential stuffing and dictionary attacks from botnets. Ten guesses per second per source IP is a conservative estimate for what attackers routinely achieve against misconfigured services.
• Offline slow hash (10,000 guesses/sec). If an attacker has stolen a password database and the passwords were hashed with a deliberately slow algorithm like bcrypt, scrypt, or Argon2, each guess is expensive. A well-tuned bcrypt deployment caps attackers at roughly ten thousand guesses per second per GPU in 2026.
• Offline fast hash (10 billion guesses/sec). If the password database used a fast hash like MD5, SHA-1, or unsalted SHA-256 — as many legacy systems still do — a modern 8-GPU rig can push 10^10 guesses per second. At this rate, anything shorter than roughly 12 random characters will fall within days.

The reason security professionals care most about the offline scenarios is that database breaches regularly happen. If your password is strong enough to survive the offline-fast-hash scenario, it is effectively unbreakable under the other three.

Common Password Mistakes

Dictionary words, even capitalized. Password, Welcome, Summer2026 — all fall in seconds. Capital letter at the front, digit at the end is the single most predicted pattern in the cracker universe.

Keyboard patterns. qwerty, asdfgh, 1qaz2wsx, and variations are in every attack list. zxcvbn explicitly detects keyboard walks on QWERTY, AZERTY, and numeric keypads.

Year-based or date-based patterns. johnsmith1985, jenny2026, or any password ending in a plausible birth year is trivially guessable. Attackers try every year from 1900 to the current year automatically.

Leetspeak substitutions barely help. Swapping a for @, o for 0, s for $ was once thought to add entropy. It does not. Every cracker tool applies these substitutions as transformation rules. P@ssw0rd is essentially identical to password in terms of guess count.

Reused passwords. Even a strong password becomes weak the moment it appears in one breach. This is why credential stuffing works: attackers try your Adobe or LinkedIn password on every other service you might use.

The k-Anonymity Have I Been Pwned Model

The optional Have I Been Pwned check in this tool uses a privacy-preserving protocol called k-anonymity, designed by Troy Hunt and Cloudflare. Here is what happens when you click the button:

1. The tool computes the SHA-1 hash of your password locally in your browser, using the Web Crypto API.
2. Only the first 5 characters of the 40-character hexadecimal hash are sent to api.pwnedpasswords.com/range/{prefix}.
3. The HIBP server returns every breached-password hash that starts with those same 5 characters — usually 400 to 600 hashes, each with a count of how many breaches it has appeared in.
4. Your browser scans the response locally for the remaining 35 characters of your password’s hash. If a match is found, the tool reports the breach count.

The HIBP server never sees your password, never sees your full hash, and cannot distinguish your actual hash from any of the hundreds of others that share the same 5-character prefix. That ambiguity is the "k" in k-anonymity. The check is opt-in only; nothing is sent until you click the button.

How to Create a Strong Password

Length beats complexity. A 20-character passphrase of four random words (for example, selected with diceware) has roughly 77 bits of entropy — more than a 12-character password of random symbols. Modern NIST guidance (SP 800-63B) specifically recommends allowing passwords up to at least 64 characters and discourages arbitrary complexity rules.

Use a password manager. The single highest-leverage security decision most users make is adopting a password manager (Bitwarden, 1Password, KeePassXC, and browser-native managers are all reasonable choices). The manager generates long random passwords you never have to remember, stores them encrypted, and autofills them on the correct domain — which also defeats phishing.

Make every password unique. A password manager makes uniqueness automatic. Without one, at minimum use a unique password for email, banking, and any account tied to payment.

Add two-factor authentication. A strong password plus a phishing-resistant second factor (a hardware security key, or at minimum a TOTP app) pushes an attacker’s cost from trivial to effectively prohibitive. If the service offers passkeys, they are stronger still.

Privacy: Nothing Leaves Your Browser

This page does not use analytics on the password you enter, does not log it to any server, and does not store it in localStorage or a cookie. The password exists only in the memory of your current tab. The only network request the tool ever issues is the optional HIBP call — and that call transmits only a 5-character hash prefix, never the password itself. No account, no tracking pixel, no CDN logging of form values. You can verify this by viewing the page source and monitoring the Network tab in your browser’s developer tools.

This tool provides an estimate of password strength for educational purposes. Actual risk depends on many factors outside the tool’s visibility — how the target service stores passwords, whether the account is protected by two-factor authentication, whether the password has already been exposed in a breach not yet loaded into HIBP, and whether the service has other vulnerabilities an attacker can exploit instead. No strength checker can guarantee that a password is secure. Always pair strong, unique passwords with two-factor authentication on any account you care about.

Frequently Asked Questions

Is my password sent anywhere when I use this tool?

No. The core analysis (score, crack time, character stats, pattern checks) runs entirely in your browser. The only network request this tool ever issues is the optional Have I Been Pwned check, and that request sends only the first 5 characters of the SHA-1 hash of your password — never the password itself and never the full hash.

What counts as a strong password in 2026?

A password that zxcvbn scores 4 out of 4 and that does not appear in any Have I Been Pwned breach. In practice, this means at least 14 random characters from a password manager, or a passphrase of at least 4 random words (diceware-style). Length is more important than symbol complexity.

Are password managers actually safe?

The expert consensus, including NIST, is yes. A reputable password manager dramatically improves security because it enables long, unique passwords on every site, and its autofill behavior defeats most phishing attempts. The theoretical risk of the manager itself being breached is far lower than the practical risk of reusing weak passwords across sites.

What is k-anonymity and why does it matter?

k-anonymity is a technique where your query is mixed with many other queries such that the server cannot identify which one is yours. In HIBP’s case, the server sees a 5-character hash prefix that matches hundreds of different hashes; your actual hash is indistinguishable. This lets you check your password against billions of known breached credentials without ever revealing it.

Why is "P@ssw0rd1" considered weak?

Because every password-cracking tool applies leetspeak substitutions (a->@, o->0, s->$) as a default transformation rule. P@ssw0rd1 is functionally identical to password1 from a cracker’s perspective, and password1 appears in virtually every breach corpus. zxcvbn correctly rates it near zero.

How long should a password be?

For high-value accounts, at least 14 random characters generated by a password manager, or a passphrase of at least 4 random words. NIST SP 800-63B recommends services allow passwords up to at least 64 characters. Longer is always better; the cost to you is negligible when a password manager remembers it for you.

What is credential stuffing?

An attack where criminals take username and password pairs leaked from one breach and try them automatically against thousands of other services. It works because most people reuse passwords. Credential stuffing is the single most common cause of account takeover in 2026 and is the main reason unique passwords matter even more than strong ones.

Data accurate as of: April 2026