The password strength analyzer uses the zxcvbn algorithm to score your password across 6 dimensions in real-time — length, character diversity, pattern resistance, crack time estimate, entropy, and common password detection. Your password never leaves your browser.
Your password never leaves your browser — analysis runs locally using the zxcvbn library.
Strength Score
Strength Dimensions
zxcvbn Feedback
How we score
Powered by zxcvbn: Developed at Dropbox, zxcvbn estimates realistic crack times accounting for dictionary attacks, keyboard patterns, and common substitutions — not just character count.
Length (20%): Under 8 = FAIL, 8-11 = WARN, 12-15 = PASS, 16+ = Excellent.
Character Diversity (20%): Points for uppercase, lowercase, digits, and symbols — each category adds 25 points.
Pattern Resistance (20%): From zxcvbn score (0-4) × 25. Penalizes keyboard walks, sequences, and common words.
Crack Time (20%): Based on zxcvbn's estimated guesses. Centuries = 100, years = 80, months = 60, days = 30, instant = 0.
Entropy (10%): From zxcvbn guesses_log10 converted to bits. 50+ bits = excellent.
Common Password (10%): zxcvbn score 0 or 1 = likely common password, significantly penalized.
How to Use the Password Strength Analyzer
Most password strength meters lie to you. They show "strong" for passwords like "P@ssw0rd123!" — a password that gets cracked in seconds because attackers know all the common substitution patterns. This analyzer uses zxcvbn, the same algorithm trusted by Dropbox, to give you honest feedback.
Understanding the crack time estimate
The crack time assumes an offline attack against a leaked password hash — the worst-case scenario where the attacker has unlimited tries per second. If your password shows "3 hours," that means it could be cracked in 3 hours on a modern GPU. For a password protecting sensitive accounts, you want "centuries."
What makes passwords resistant to cracking?
Length beats complexity. "correcthorsebatterystaple" (25 chars, all lowercase) is stronger than "P@$$w0rD!" (9 chars, "complex"). Attackers use pattern databases: dictionary words, keyboard walks (qwerty, 123456), date patterns (01/01/1990), and leetspeak substitutions (@ for a). The zxcvbn algorithm checks all of these.
How to create a strong password
Use a password manager to generate random 16-20 character strings like Kx9#mP2$vL8nQw4j. If you need a memorable passphrase, use 4+ random unrelated words: "correct horse battery staple." Never use personal information (birthdate, pet name, city), and never reuse passwords across sites.
FAQ
How does zxcvbn measure password strength?
zxcvbn (developed at Dropbox) estimates how many guesses an attacker would need to crack a password. It checks for dictionary words, keyboard patterns (qwerty, 12345), date patterns, and common substitutions (@ for a, 3 for e). Unlike simple strength meters, zxcvbn penalizes passwords that look complex but follow predictable patterns.
Is my password sent to a server?
No. Password analysis runs entirely in your browser using the zxcvbn JavaScript library loaded from a CDN. Your password is never transmitted, logged, or stored anywhere. Close the tab and no trace remains.
What is password entropy?
Entropy measures the unpredictability of a password in bits. A password with 40 bits of entropy has 2^40 (about 1 trillion) possible guesses needed. Each additional bit doubles the search space. zxcvbn calculates entropy based on actual attack patterns, not just character set size — 'P@ssw0rd' has far less entropy than it appears because attackers know this pattern.
What makes a truly strong password?
Length matters more than complexity. A 16-character random passphrase (4 random words like 'correct horse battery staple') is stronger than 'P@$$w0rd123!' which attackers guess routinely. Aim for 12+ characters with no dictionary words, no keyboard patterns, and no personal information.
Is this tool free?
Yes, completely free with no account required. The tool uses the open-source zxcvbn library for honest password strength assessment.
What is a good crack time for a password?
For personal accounts, aim for 'centuries' or at minimum 'years' on the cracking estimate. Passwords crackable in 'seconds' or 'minutes' are unacceptably weak. Online attacks (with rate limiting) tolerate longer crack times, but offline attacks on leaked hash databases can try billions of combinations per second.