A password strength validator checks whether a password is robust enough for real-world use. Paste or type any password below to get an instant PASS/FAIL verdict, estimated crack time, and specific suggestions for improvement. Powered by the zxcvbn algorithm from Dropbox — far more accurate than simple length/character rules.
Privacy: Passwords are checked entirely in your browser. Nothing is sent to any server.
Estimated Crack Times
Validation Checklist
Suggestions
How to Use the Password Strength Validator
This password strength validator uses the zxcvbn algorithm to evaluate whether a password is genuinely strong — not just whether it meets arbitrary rules like "8+ characters, one uppercase, one number." Those rules often produce weak passwords that look strong.
Understanding the Score
The score ranges from 0 (Very Weak) to 4 (Very Strong). A password needs score 3 or 4 to pass — meaning it would take years or longer to crack in the worst-case offline attack scenario. Score 2 (Fair) means hours to days, which is insufficient for any real account.
Why Simple Rules Fail
A password like "Password1!" scores 1 (Weak) despite meeting most corporate password policies. Why? Because "Password" is in every dictionary, "1" and "!" are predictable additions, and the pattern is in the top 100,000 guesses. Meanwhile, "correct-horse-battery-staple" scores 4 despite having only lowercase letters — it's long and unpredictable.
Reading Crack Times
The tool shows four crack time estimates: online throttled (1 attempt/minute), online unthrottled (100/hour), offline fast hashing (MD5), and offline slow hashing (bcrypt). For account security, the offline slow hashing time matters most — that's what an attacker gets after a database breach.
What Makes a Strong Password
Length is the most important factor — a 20-character passphrase of random common words beats an 8-character jumble. Avoid dictionary words, names, dates, keyboard patterns, and common substitutions (@ for a, 3 for e). Use a password manager to generate and store truly random passwords.
FAQ
What score does a password need to pass?
A password needs a score of 3 (Strong) or higher on the 0-4 scale to pass. Scores below 3 (Very Weak, Weak, or Fair) fail the production-readiness threshold. A score of 3 means the password would take years to crack offline.
How is the strength calculated?
This tool uses the zxcvbn algorithm, developed by Dropbox, which checks passwords against common dictionaries, keyboard patterns, dates, names, and other predictable sequences. It's much more accurate than simple rules like 'must have uppercase + number.'
Is my password sent to a server?
No. Password checking runs 100% in your browser using JavaScript. Your password never leaves your device and is never transmitted or stored anywhere.
What is a good crack time estimate?
For most use cases, you want 'centuries' for offline slow hashing (bcrypt, scrypt). If your password shows anything shorter than 'years', it's likely vulnerable to offline brute-force attacks against a leaked database.
Is this tool free?
Yes, completely free. No account, no signup, no limits. Check as many passwords as you like.
What's the difference between this and a password analyzer?
This validator focuses on giving a quick PASS/FAIL verdict for production use. It shows the score, crack time, and the most important improvement suggestions. A full analyzer gives more detailed breakdowns of every component.