Password Strength Checker

Score a password in your browser with entropy, crack-time, a weak-pattern scan, passphrase ideas and a hardening checklist.

This password strength checker scores any password right in your browser, so the value never leaves the page. Type a password or passphrase and you get an entropy estimate from its character pool, points docked for the patterns attackers actually crack first (common words, leetspeak swaps, keyboard walks, years, repeats and the personal words you tell it to watch for), and a side-by-side of how fast each attack model would grind through it, from a throttled login to an offline GPU cluster. When a password is weak it suggests stronger random passwords and word-based passphrases, and a breach-prefix button computes only the first five characters of the SHA-1 hash, the part k-anonymity services use, so you can see a privacy-safe breach lookup without exposing the real password. You walk away with a plain-language account hardening checklist, and none of it touches a server.

100% in your browser. Nothing you type ever leaves this page.

Local password strength checker, entropy estimator and account hardening checklist

Type a password below. I'll score it right here, in your browser. Nothing gets sent to me, ever. What you get back: an entropy estimate, a scan for the lazy patterns attackers reach for first, a side-by-side of how fast each kind of attack would chew through it. If yours is weak it'll toss you some passphrase ideas too, plus a privacy-safe way to check it against breach databases. Honestly I built this mostly because I was tired of every other checker asking you to paste a live password into a box and just trust them.

Password or passphrase

Account type

Attack model

Personal words to avoid

Passphrase words

Separator

Everything here happens locally. The password never touches PeopleAreGeek's servers. And look, a password manager with a different password per site will do more for you than chasing a perfect number in this little box.

Password strength is about guessing resistance and account context

A password strength checker is only useful if it scores the way attackers actually attack. A password is not strong because you stuck a dollar sign in it. Attackers do not sit there guessing blind. They throw leaked password dumps at you first, then dictionary words, then keyboard walks and birth years and the swaps everyone makes (a becomes the at sign, o becomes zero), repeated runs, plus whatever you have already reused on five other sites. So a password that looks busy can still fall in seconds if it is short or built on something guessable. The flip side: a long passphrase made of plain words you will actually remember is usually far harder to crack than a short string crammed with punctuation. This tool works out entropy from your character pool, docks points for the patterns that really get cracked, and lines up how fast each attack model would grind through it. None of it touches a server.

How to read the score

Treat the score as a warning light, not a certificate. A real login page usually throttles guesses, so even a mediocre password buys you a little time there. The second a database leaks and someone is cracking hashes offline, that same password gets hammered millions of times a second. Context is everything: a password fine for a forum you will forget by Tuesday is nowhere near good enough for email, a hosting panel, banking, or anything with the word admin in it.

Length is the one lever that almost never lets you down. Add characters before you do anything else.
Uniqueness beats clever tricks. Swapping an a for an at-sign fools nobody who cracks passwords for a living.
Context words (your company, your name, your city) are the first thing a targeted guess tries. Leave them out.
Two-factor authentication is your safety net for the day a password gets phished or you reused it somewhere you forgot.
Password managers turn "unique password everywhere" from a nice idea into something you actually do.

Privacy and the breach prefix

The whole calculation happens in your browser. The password never leaves the page, and the Copy checklist button never includes the password itself. The Create breach prefix button only ever computes the first five characters of the SHA-1 hash, the part k-anonymity services use, so you can see how a privacy-safe breach lookup works without exposing the real password here. For anything high value, pair a unique password with two-factor authentication and a locked-down recovery email.

Frequently asked questions

Should I type my real password here?

Technically you're fine. It all runs in your browser, nothing gets sent to this site. But I'll be straight with you: I never paste a live password into any website, this one included. If you want the reading without the nagging worry, type something with the same shape (same length, same kind of mix) and you'll learn just as much.

Are symbols required?

They help a little. But length and uniqueness do far more of the heavy lifting. Four random words strung together will outlast a short password sprinkled with punctuation, basically every time. Add a symbol if the site insists, fine. Just don't kid yourself that the symbol is what's protecting you.

Can a checker prove that a password is safe?

No. And don't trust any tool that claims it can. This catches the obvious weaknesses, that's the whole job. Whether your account is actually safe comes down to stuff a checker just can't see. Has this password leaked before? Did you reuse it? Would you fall for a convincing phishing page on a bad day? Is your recovery email locked down, is 2FA on. The score is where that conversation starts, not where it ends.

What actually makes a password strong?

Length, first and foremost. Get to 12 characters at the bare minimum, and more for anything that matters. After that it comes down to unpredictability, and using a different one on every site. A long passphrase of unrelated words beats a short password bristling with symbols, pretty much always.

What is password entropy?

It's a way to measure unpredictability, counted in bits. Here's the part people miss: every single bit you add doubles the number of guesses an attacker has to make. So the jump from 50 to 60 bits is way bigger than the small-looking numbers suggest. Aim for 60-plus and you're sitting pretty.