Password Strength Checker
See how strong your password is and how long it would take to crack — checked entirely in your browser. Nothing is ever sent, logged or stored.
This is a conservative estimate — we check length, character variety, common passwords, dictionary words and obvious patterns. A high score is not a guarantee. Never reuse a password, and store them in a manager. Need strong ones? Generate passwords → or a passphrase →
Why length beats complexity
What actually makes a password strong
Entropy — randomness — is what resists guessing. A reused word like “password” carries only a handful of bits; four random words carry ~44; a 16-character random string ~100+. The maths is rarely the weak point — humans reusing and tweaking words is.
So: make it long, unique, and either fully random or a multi-word passphrase. Generate strong ones with our password generator or passphrase generator, then store them in a manager with MFA on.
Password Strength Checker — FAQs
Yes. The entire check runs in your browser using JavaScript — your password is never sent to our servers, logged, or stored, and the page loads no third-party scripts. You can disconnect from the internet and it still works. As a precaution you should still only test passwords here, never share them, and prefer generating a fresh unique password for any account that matters.
It estimates the entropy (in bits) of your password — roughly, how many guesses an attacker would need. It starts from the size of the character set and the length, then applies conservative penalties for real-world weaknesses: common passwords, dictionary words and passphrases, keyboard or number sequences, repeats, and low character variety. The estimate is deliberately cautious — it only ever lowers the score, never inflates it.
Aim for 60+ bits of entropy to resist offline cracking, and 80+ for anything important — a 16-character random password is around 100 bits. The single biggest factor is length: each extra character multiplies the work to crack it far more than swapping a letter for a symbol. UK NCSC and NIST SP 800-63B both favour long, unique passwords or passphrases over short complex ones.
They estimate how long it would take to guess your password by brute force at three attacker speeds: a throttled online login (~1,000 guesses/second), one high-end GPU cracking an offline stolen hash (~10 billion/second), and a well-funded cluster (~1 trillion/second). They assume a brute-force search; a password built on a dictionary word or pattern can fall far faster, which is why we flag those.
No — treat it as a conservative estimate, not a guarantee. A password can still be compromised if it has been reused, phished, or exposed in a data breach. The safest approach is a unique, randomly generated password per account, stored in a password manager, with multi-factor authentication enabled.
Generate a strong one. Use our free in-browser password generator for random passwords, or the passphrase generator for something memorable, then store it in a password manager and turn on MFA. Servnet can help your business roll this out as part of a cyber-security review.
More free security tools
Generate passwords and passphrases, hash text, create UUIDs — all in your browser. And when you’re ready to secure the whole estate, Servnet helps UK businesses achieve Cyber Essentials.