DevToolbox

Password Strength Analyzer

Analyze any password for strength, entropy, character composition, pattern vulnerabilities, and estimated crack time.

About This Tool

The Password Strength Analyzer is a free browser-based tool that evaluates the security of any password in real time. It calculates Shannon entropy based on the character classes present (lowercase, uppercase, digits, and symbols) and the password length, giving you a precise measurement of how unpredictable your password truly is.

Beyond raw entropy, the analyzer performs pattern detection to identify common weaknesses that pure entropy calculation misses. It checks for sequential characters (abc, 123), repeated characters (aaa), keyboard patterns (qwerty, asdf), and matches against a built-in list of approximately 100 commonly used passwords. These patterns significantly reduce effective security even when a password appears long enough on paper.

The tool provides time-to-crack estimates for two attack scenarios: an online attack throttled to 1,000 guesses per second (typical of a rate-limited web login) and an offline attack running at 10 billion guesses per second (representative of GPU-accelerated hash cracking). These estimates help you understand the real-world implications of your password's entropy.

Need to generate a strong password instead of analyzing one? Use our Password Generator to create cryptographically random passwords and passphrases. You can also explore how password hashing works with the Hash Generator, which computes MD5, SHA-256, and other digests entirely in your browser.

All analysis runs 100% client-side. Your password never leaves your browser — it is not transmitted to any server, stored in any database, or logged by any analytics service. You can verify this by inspecting network activity in your browser's developer tools.

How to Use

  1. Type or paste a password into the input field at the top of the tool.
  2. Toggle the eye icon to show or hide the password as plain text.
  3. Review the strength meter which displays a color-coded bar (red through green) and an entropy score in bits.
  4. Check the character analysis panel to see the breakdown of uppercase, lowercase, digit, symbol, and unique character counts.
  5. Examine the time-to-crack estimates for both online and offline attack scenarios.
  6. Read any pattern warnings that flag sequential characters, keyboard patterns, repeated characters, or matches against common passwords.
  7. Follow the suggestions listed below the analysis to improve your password's strength. Press Ctrl+Shift+C to copy the password.

FAQ

Is my data safe?

Yes. All password analysis runs entirely in your browser using client-side JavaScript. Your password is never transmitted over the network, stored on a server, or logged by any analytics service. You can verify this by opening your browser's developer tools and checking the Network tab.

How is entropy calculated?

Entropy is calculated as log2(charset_size ^ length), which simplifies to length * log2(charset_size). The charset size is the sum of character classes present in the password: 26 for lowercase, 26 for uppercase, 10 for digits, and 33 for symbols. For example, a 12-character password using all four classes has an entropy of 12 * log2(95) = approximately 78.8 bits.

What do the time-to-crack estimates mean?

The online attack estimate assumes an attacker is limited to 1,000 guesses per second, which is typical for rate-limited web logins. The offline attack estimate assumes 10 billion guesses per second, representing a modern GPU-accelerated hash-cracking setup. Both estimates use the average case (half the total key space).

Why does pattern detection matter if entropy is high?

Entropy assumes random character selection. If a password contains common words, keyboard patterns, or sequential characters, an attacker can use dictionary attacks and rule-based cracking that are far more efficient than brute force. Pattern detection helps identify these weaknesses that pure entropy calculation cannot capture.

What is considered a strong password?

A password with 60 or more bits of entropy and no detected patterns is generally considered strong. For high-security applications, aim for 80+ bits. This typically means at least 12 characters using a mix of uppercase, lowercase, digits, and symbols, with no dictionary words or keyboard patterns.

How does this differ from the Password Generator?

The Password Generator creates new random passwords for you, while the Password Strength Analyzer evaluates passwords you already have or are considering. They are complementary tools — generate a password, then analyze it to confirm its strength, or analyze an existing password and follow the suggestions to improve it.

Related Tools

Password Generator

Generate secure passwords and passphrases with entropy-based strength analysis.

Bcrypt Generator

Generate bcrypt password hashes and verify passwords against existing hashes. Configurable salt rounds.

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes for text and files.

TOTP Generator

Generate and verify Time-based One-Time Passwords (RFC 6238). Create secrets, QR codes, and test 2FA tokens.

Text Encrypt / Decrypt

Encrypt and decrypt text with AES-256-GCM using a password. All processing in your browser.