Password Strength Checker

Why entropy beats character-class counting

Old strength meters look for "1 uppercase, 1 number, 1 symbol" — but Password1! passes that check and is still terrible. Real strength is about unpredictability, not which characters appear.

• Length wins — adding a character is worth far more than swapping o for 0
• Patterns lose — dictionary words, keyboard walks (qwerty), repeated chars, dates all crash entropy
• Diceware beats l33t — correct horse battery staple (44 bits) beats Tr0ub4dor&3 (28 bits)

How to read the crack-time numbers

• Online (100/sec) — someone guessing at the login page. Rate-limiting is the main defense.
• Offline (10B/sec) — what happens if a database leaks (your hash is now being cracked locally on someone's GPU). The "real" threat for important accounts.
• Centuries+ offline is the target for anything important. Anything under a few years offline is weak.

Privacy

The password is never sent anywhere. All calculation happens in JavaScript in your browser.