Password Strength Checker

"Must Contain Uppercase" Is Not a Strength Measure

Most password strength indicators are cosmetic. They check a list of requirements — uppercase, digit, symbol, minimum length — and turn green when all boxes are checked. "Password1!" satisfies every one of those requirements while remaining trivially crackable because its structure is entirely predictable. The requirement rules were designed to push users toward larger character pools, but they do not measure actual unpredictability. Our free password strength checker uses entropy — the information-theoretic measure of unpredictability — to give a genuine assessment of how resistant a password is to attack. It also checks eight specific security requirements, estimates crack time against a realistic GPU-based attack scenario, and detects passwords from breach databases where the exact string is already known to attackers.

How Entropy Measures Real Password Strength

Entropy in bits answers the question: how many guesses would an attacker need in the worst case? The formula is length × log₂(pool size), where pool size is determined by which character classes appear. Lowercase adds 26 characters; uppercase adds 26; digits add 10; symbols add approximately 32. Using all four gives a pool of 94. At 16 characters, that is 16 × log₂(94) ≈ 104 bits — meaning 2^104 possible passwords. Each additional character of length adds log₂(94) ≈ 6.5 bits; each additional bit of entropy doubles the required guesses. The strength labels map directly to these thresholds: below 40 bits is weak regardless of what characters are used; above 80 bits is very strong against all known attack methods.

Why Length Dominates All Other Factors

The classic XKCD "correct horse battery staple" observation is mathematically correct: a long passphrase of random dictionary words can have more entropy than a short mixed-character password. "correct horse battery staple" (4 random words from a 7,776-word Diceware list) has approximately 4 × log₂(7776) ≈ 51 bits. "Tr0ub4dor&3" (9 characters with substitutions) has only 9 × log₂(94) ≈ 58 bits — barely better, despite being nearly impossible to type. At 16+ random characters with all four character sets, entropy exceeds 104 bits — a level that cannot be brute-forced with any foreseeable computing technology. Length is the dominant factor; character variety matters, but adding one more random character does more for security than adding a symbol to a short password.

The Eight Security Requirements Checked

• Minimum length (8 characters): The absolute floor recommended by NIST SP 800-63B. Passwords below 8 characters can be exhaustively cracked in seconds regardless of character variety
• Recommended length (12+ characters): At 12 characters with all character sets, entropy exceeds 78 bits — sufficient to resist offline brute-force attacks with current GPU technology
• Uppercase letters: Increases pool from 36 to 62, then to 94 when combined with digits and symbols — each class adds significantly to the pool size
• Lowercase letters: The most commonly included class; excluding it would reduce the pool dramatically
• Digits (0–9): Adds 10 characters to the pool — less impactful than adding a character of length, but standard practice
• Symbols: Adds ~32 characters to the pool and significantly increases entropy per character — important for meeting policy requirements at shorter lengths
• No repeated sequences: Patterns like "aaa", "111", or "abcabc" reduce effective entropy because cracking tools specifically target repetition patterns with mask attacks
• Not a common password: The most important check — passwords that appear in breach databases are known to attackers regardless of their entropy score. A password found in a breach list can be cracked instantly via table lookup

Crack Time Estimates — What They Actually Mean

The estimated crack time is based on an offline brute-force attack — the scenario where an attacker has stolen a hashed password database and can attempt guesses at maximum hardware speed without any rate limiting. At 10 billion guesses per second (a realistic estimate for a mid-range GPU cluster on an unsalted fast hash), 40 bits of entropy falls in under 2 minutes; 60 bits takes 36 years; 80 bits takes 3.7 billion years. These are worst-case estimates for guessing a specific password from scratch. If the password is found in a breach database, the crack time is zero regardless of entropy — which is why the common password check matters more than the entropy score for passwords that humans create themselves. If your password scores below Strong, use our Password Generator to create a truly random replacement.

Password Strength Guidelines by Account Type

Different accounts warrant different strength levels. Online accounts (social media, subscriptions): minimum 12 characters, aim for 16+ to achieve 100+ bits entropy. High-value accounts (email, banking, cloud storage): 20+ characters — your email account can be used to reset every other password you own, making it the highest-priority credential. Password manager master password: 24+ characters using all four character sets — memorise it, write it down on paper stored in a secure physical location, never type it on an unfamiliar device. Service accounts and API keys: 32–64 characters, generated randomly — humans should not choose these at all. NIST SP 800-63B discourages complexity rules in favour of length, encouraging passphrases and discouraging mandatory rotation except after suspected compromise.

Safe to Test Your Real Passwords — Nothing Is Transmitted

All analysis runs entirely in your browser using JavaScript. Your password is never transmitted to ToollyX servers, never stored in cookies or localStorage, and is cleared from memory when you leave the page. The common password list is bundled in the page's JavaScript code — no network requests are made to check it. This is safe for testing real passwords including those for banking accounts, email accounts, and cryptocurrency wallets. After testing, if your password scores below Strong, generate a replacement with our Password Generator and store it immediately in a password manager.

✓Verified by ToollyX Team · Last updated June 2026