Password Strength Checker

A password strength checker powered by Dropbox's zxcvbn engine — the same algorithm used by major sites like Stripe, GitLab and 1Password. It estimates how many guesses an attacker would need by recognising common dictionaries, leaked-password lists, keyboard sequences, dates, and repeats — not just counting character classes.

How to use

1
Type or paste a password

The score updates with every keystroke. Click the eye icon to toggle visibility.

2
Read the score and warnings

Aim for a score of 3 or 4. If you see warnings, address them — adding a "1!" rarely helps.

3
Check the crack-time row that matches your threat

Web service login? Online throttled. Database breach? Offline fast hash — and that's the row that matters most.

4
Iterate

Add length and unpredictability until the score is 4 across all rows.

🔥 Trending right now
🗣️ Text to Speech Video Enhancer ✂️ Trim Audio Audio Enhancer

Test how guessable your password really is — based on real dictionaries, patterns, and breach data

Effective entropy
bits
Estimated guesses

Time to crack

Online, throttled (100/h)
Online, no throttle (10/s)
Offline, slow hash (10⁴/s)
Offline, fast hash (10¹⁰/s)
Don't know what to try?
380 free tools — open a surprise
🎲 Surprise me

Features

zxcvbn estimation engine Four crack-time scenarios Specific warnings & suggestions Pattern detection Runs locally

FAQ

Is my password sent anywhere?

No. zxcvbn runs entirely in your browser via JavaScript. No keystroke or password leaves your device. You can verify this with the browser network tab.

What is zxcvbn?

A password strength estimator created by Dropbox engineer Daniel Lowe Wheeler. Instead of counting character classes, it estimates the number of guesses needed using dictionaries, common patterns, and l33t substitution recognition.

Why does "Password123!" get a low score?

Because it appears in the top 1000 of every leaked-password list, and the "123!" suffix is the most common modification. An attacker tries these first.

What score is "safe"?

Score 4 (10⁹+ guesses) is safe against offline attacks. Score 3 is safe against online attacks. Score 2 and below is unsafe in any scenario.

Should I trust the time estimates?

They are conservative estimates against well-equipped attackers. Real adversaries vary, but if a password falls under "offline fast hash, < 1 hour", it is unsafe for any database that could leak.

Why is length more important than symbols?

Because adding one character of length multiplies the search space by the alphabet size; adding a symbol only switches one character. A 16-character all-lowercase password resists more guesses than a 10-character "complex" one.

💡 Want us to improve this tool just for you?

We can — and it's free! Just send us a quick message with your idea. If you'd like to discuss it in detail, leave your email and we'll get back to you. You can stay anonymous.

You May Also Like

🔄 Bitwarden Converter 🗃️ KeePass Viewer 🔍 OTP Auth QR Decoder 🔗 One-Time Secret Share 🔐 PGP Key Generator 🎲 Passphrase Generator 📊 Password Audit 🚨 Password Breach Checker

How do you rate this tool?

Thank you for your rating!
Want to share more? Leave a comment!
Thank you! Your comment will appear after moderation.
Who is this tool for?
🔒 Security & Privacy
Published Updated