Skip to main content

Password Strength Checker — entropy, crack time, offline breach check

Check password strength — entropy, time-to-crack, breach pattern check (offline).

  • Runs locally
  • Category Encoding & Crypto
  • Best for Checking small payloads, tokens, hashes, and encoded values quickly.
Privacy:Your password never leaves your browser. No network requests, no storage, no telemetry. Close the tab and it is gone.
Type or paste a password
Strength
Try an example:
Entropy
0 bits
Character space: 0
Offline GPU (1e11/sec)
2^entropy / 2 / 1e11
Online attack (1e3/sec)
throttled web login

Start typing above to see strength analysis.

What this tool does

A serious password strength checker that runs 100% in your browser — your password is never sent over the network, never stored, never logged. We compute Shannon entropy from the actual character space you used, then penalize repeated runs, keyboard sequences, years, and common dictionary words. Estimated time-to-crack is shown for two attacker models: a throttled web login (1,000 guesses/sec) and an offline GPU rig (100 billion guesses/sec). A built-in list of 1,000+ leaked passwords (RockYou top hits, brand defaults, CN/EN classics) is checked locally with Set.has — no API calls, no k-anonymity round-trip. Issues and suggestions are concrete and actionable: "extend to 14 characters", "add a symbol", "drop the year — easily guessed". Use it before you commit a new password anywhere, or to audit one you already use.

Tool details

Input
Form fields
The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
Output
Live result + Copy
The result area focuses on usable output, with copy, download, or preview actions when supported.
Privacy
Browser-side processing
The main tool logic does not call an external API, so inputs normally stay in the current tab.
Save / share
No account required
Open the page and use it; whether results survive refresh depends on the tool.
Performance budget
Initial JS <= 30 KB
No WASM budget is declared, keeping the tool quick to open on mobile.
Best fit
Encoding & Crypto · Developer
Category and role tags drive related tools, internal links, and quick fit checks.

How to use

  1. 1. Input

    Paste or drop your content into the tool panel.

  2. 2. Process

    Click the button. All processing is local in your browser.

  3. 3. Copy / Download

    Copy the result or download to disk in one click.

How Password Strength Checker fits into your work

Use it for quick browser-side encoding, decoding, hashing, token checks, and share-safe transformations.

Encoding jobs

  • Checking small payloads, tokens, hashes, and encoded values quickly.
  • Preparing values for APIs, URLs, docs, or support tickets.
  • Avoiding account-based tools when the input might be sensitive.

Encoding checks

  • Do not paste live secrets unless you are comfortable with local browser handling.
  • Confirm whether the operation is reversible before sharing the result.
  • For hashes, compare the exact algorithm and casing expected by the receiver.

Good next steps

These links move the current task into a more complete workflow.

  1. 1 Bcrypt Generator bcrypt password hash generator + verifier — pick rounds, hash and compare in browser. Open
  2. 2 Password Generator Generate strong, cryptographically random passwords and passphrases — entirely in your browser. Open
  3. 3 MD5 / SHA Hash Generator Compute MD5 / SHA-1 / SHA-256 / SHA-384 / SHA-512 hashes, all five at once, browser-only Open

Real-world use cases

  • Vetting a new admin password before you save it

    You are about to set the root password for a production database. You type a candidate here first. The tool shows 38 bits of entropy and flags a trailing "2024", so you swap to a 5-word passphrase and watch entropy jump past 80 bits. Now the offline-GPU estimate moves from minutes to centuries before you commit it.

  • Teaching a team why "Summer2024!" is not strong

    During a security onboarding, a new hire insists their password is complex because it has upper, lower, a digit and a symbol. You paste it here live: the breach list flags the season+year pattern and crack time reads under a second for an offline attacker. The concrete number ends the argument better than a policy slide ever could.

  • Choosing a master phrase for a password manager

    You are migrating to a vault and need one phrase you can actually remember for years. You test candidates here until you find a 5-word combination plus a digit that lands above 90 bits and survives the offline model at decades-to-crack. Because nothing leaves the tab, you are not seeding your future master phrase into any server log.

  • Auditing a reused password you already have

    You suspect an old password is too weak but do not want to type it into a random website. This tool runs fully offline, so you check it safely: it reports 44 bits and a keyboard-sequence penalty for the "qwerty" fragment. That is enough signal to rotate it everywhere it was reused, starting with email and banking.

Common pitfalls

  • Judging strength by length alone. A 16-character "aaaaaaaaaaaaaaaa" has almost no entropy; this tool penalizes the repeat run, so watch the entropy bits, not the character count.

  • Trusting l33t substitutions like "P@ssw0rd". Attackers apply these mangling rules by default, so the breach check still flags it. Use unrelated random words instead.

  • Reading only the web-login crack time. The "1,000 guesses/sec" number assumes rate limiting; for a leaked hash use the offline GPU figure, which can be billions of times faster.

Privacy

Your password never leaves this browser tab. The entire analysis (entropy, crack-time, and the 1,000+ breach-list lookup) runs as local JavaScript with no fetch, no WebSocket, and no analytics beacon carrying your input. Nothing is written to localStorage or sessionStorage, and the value is not placed in the URL, so a shared link never leaks it. Close the tab and what you typed is gone for good. Verify it yourself in DevTools Network.

FAQ

Tool combos

Folks in your role tend to reach for these alongside this tool.

Browse all tools for this role
Made by Toolora · 100% client-side · Updated 2026-06-13