Password Strength Analyzer
Analyze the strength of any password with entropy calculation, estimated crack time at various attack speeds, pattern detection and improvement suggestions. Everything runs in your browser β your password is never transmitted.
| Attack Scenario | Time |
|---|---|
| Enter a password above | |
What is a Password Strength Analyzer?
A password strength analyzer evaluates a password against multiple criteria β entropy, character composition, common patterns, and estimated crack time β to give a concrete, quantitative measure of how resistant it is to brute-force and dictionary attacks. Unlike simple checkers that just count character types, a proper strength analyzer models how an attacker would actually approach cracking the password, providing estimates based on realistic attack speeds from online throttled systems all the way up to dedicated GPU cracking rigs.
For DevOps and security engineers, password strength analysis matters beyond individual user accounts. It is relevant when designing password policies for internal tooling, validating that generated secrets meet minimum entropy requirements for API keys and database credentials, and educating development teams about why certain common password patterns (like appending a year to a word) provide far less protection than their length would suggest. Understanding entropy and crack time estimates helps make informed, evidence-based decisions about password policy rather than relying on outdated rules.
When to Use This Tool
- Evaluating password policies before enforcement: Test sample passwords against your organization's proposed policy to verify that the rules actually produce strong passwords and do not inadvertently encourage predictable patterns like
CompanyName2024!. - Validating generated secrets and API keys: Confirm that randomly generated database passwords, service account credentials, and API tokens meet minimum entropy thresholds before provisioning them into production systems.
- Security training and awareness sessions: Demonstrate to engineers and developers β in real time β why
P@ssw0rd1is crackable in seconds despite meeting most complexity requirements, and show what a genuinely strong password looks like. - Auditing passwords stored in configuration files: Spot-check sample credentials from configuration files or secret managers to identify any that are unexpectedly weak before they become an incident.
How It Works
The tool calculates entropy using the formula entropy = length Γ log2(characterSetSize), where the character set size grows as you add lowercase letters (26), uppercase letters (26), digits (10), and symbols (32+). It runs a pattern detection pass to identify common weaknesses β dictionary words, sequential digits, keyboard walks like qwerty, repeated characters, and year substitutions β and penalizes the score accordingly. Crack time is estimated by dividing the total combination space (character set size to the power of password length) by the guesses-per-second rate for five realistic attack scenarios, from an online throttled service (100 guesses/sec) to a GPU cracking cluster (10 trillion guesses/sec). All analysis runs locally in your browser and your password is never transmitted.
Frequently Asked Questions
How is password strength calculated?
Strength is calculated using a multi-factor model. First, Shannon entropy is computed by multiplying the password length by the base-2 logarithm of the character set size β more characters and greater variety both increase entropy. Second, a pattern detector scans for common weaknesses: dictionary words, sequential digit runs (123, 456), keyboard walk patterns (qwerty, asdf), repeated characters (aaa, 111), and the common word-plus-digits format (password123). Passwords that match the top common-password list are immediately capped at "Very Weak" regardless of entropy. The final score maps the adjusted entropy to five strength levels from Very Weak (under 20 bits) to Very Strong (100+ bits), and crack time estimates are computed for five attack speed scenarios.
What is entropy in password security?
Entropy, measured in bits, quantifies the theoretical unpredictability of a password. Each additional bit of entropy doubles the number of possible password combinations an attacker must search. A password with 40 bits of entropy has roughly 1 trillion (2^40) possible combinations β attackable in hours by a GPU. At 60 bits the space is 1 quadrillion combinations, making offline cracking feasible with sustained effort. At 80 bits the space is so large that even a GPU cluster running at 10 trillion guesses per second would take thousands of years. At 128 bits the combination space exceeds the estimated number of atoms in the observable universe, making brute-force attacks computationally infeasible with foreseeable technology. Aim for at least 80 bits for high-value accounts.
What does NIST recommend for password policies in 2024?
NIST Special Publication 800-63B (Digital Identity Guidelines) recommends a length-first approach to password security. User-chosen passwords should be at least 8 characters, and high-value accounts should require 15 or more. NIST explicitly advises against mandatory complexity rules (requiring uppercase, digits, and symbols) because research shows these rules cause users to make predictable substitutions β like P@ssw0rd β that provide minimal additional security. NIST also recommends against periodic forced password rotation, as it leads to predictable incremental changes. Instead, organizations should screen new passwords against a curated list of known-compromised passwords and require a change only when there is direct evidence of compromise. Password managers are strongly encouraged as the practical solution for managing strong, unique passwords across accounts.