Password Strength Checker Tool - Entropy, Crack Time, and zxcvbn-based Password Diagnostic

First Published:
Last Updated:

This tool diagnoses the strength of any password using zxcvbn — a realistic password estimator developed by Dropbox that scores against the top common passwords, dictionary words, keyboard patterns, dates, and l33t-speak substitutions. It reports a 0–4 score, entropy in bits, and estimated crack time across multiple attacker scenarios. Looking to create strong passwords? Use the Password Generator Tool.

All processing is performed entirely in your browser using client-side JavaScript. No data is transmitted to any server. Your password never leaves your device and is not stored, logged, cached, or sent anywhere.

  • This tool is provided "AS IS" without any warranties of any kind.
  • The author accepts no responsibility for any security incidents arising from the use of this tool.
  • Strength estimates are heuristic and depend on attacker assumptions; treat them as guidance, not a guarantee.
  • This tool performs self-assessment only — it does not authenticate, store, or share any password.
  • By using this tool, you accept full responsibility for any outcomes.

This tool uses client-side JavaScript for all processing. No data is transmitted to servers, no files are uploaded online, all processing happens locally in your browser. Once loaded, this tool continues to work even without an internet connection. For more details, please refer to our Web Tools Disclaimer.

Your password is processed entirely in your browser and is never sent anywhere. This tool is for self-assessment, not authentication.

Strength Score

zxcvbn assigns a score from 0 (very weak) to 4 (very strong) based on guess count.

Entropy & Composition

Estimated entropy
Naive upper bound
Length
0
Pool size
0

Estimated Crack Time

Estimates assume the indicated attacker speed against a stolen password hash or live login. Real-world numbers depend on the hashing algorithm, hardware, and rate-limiting.

Character Class Diversity

Lowercase a-z Uppercase A-Z Digits 0-9 Symbols
Active classes: 0 / 4

Entropy by Length (current character pool)

Shows the theoretical bits-of-entropy upper bound at each length, given the character classes detected in your password. Longer is almost always cheaper than complexity-for-complexity's-sake.

Try an Example

These are illustrative examples only. Never use any example as a real password.

Features

  • zxcvbn-powered scoring: Uses Dropbox's zxcvbn 4.4.2 (MIT) bundled with the Top ~30,000 common-password dictionary, English/American word lists, common surnames/first names, and keyboard layouts.
  • Entropy in bits: Reports both the zxcvbn pattern-based estimate (log2(guesses)) and a naive textbook upper bound (length × log2(pool size)).
  • Four crack-time scenarios: Throttled online (100/h), unthrottled online (10/s), offline slow-hash (10⁴/s), and offline fast-hash GPU (10¹⁰/s).
  • Character class diversity: Detects lowercase, uppercase, digits, and symbols, and computes the active character pool size.
  • Pattern warnings: Surfaces zxcvbn's warning messages for common passwords, sequential characters, repeated characters, dates, dictionary words, and keyboard patterns.
  • Improvement suggestions: Shows zxcvbn's suggestion list (e.g., add another word, avoid repeated patterns).
  • Length × pool entropy chart: Visualizes how entropy grows with length for your current character pool.
  • Show / Hide toggle: Reveal the password text only when you want to.
  • Real-time analysis: Debounced input handler updates the diagnostic as you type.
  • 100% client-side: No fetch, no XHR, no WebSocket. Your password is never transmitted.
  • Works offline: Once loaded, the tool continues to work without an internet connection.

How to Use

  1. Enter a password in the input box. The tool analyzes it as you type (with a small debounce delay).
  2. Read the score and meter — 0 (very weak) to 4 (very strong). Most online services aim for at least score 3.
  3. Compare entropy values: the zxcvbn estimate accounts for dictionary attacks; the naive bound assumes attackers brute-force every position independently.
  4. Review the crack-time table against your threat model — if the password protects something behind a slow hash with throttling, online numbers matter; if the hash could leak, fast-hash numbers matter.
  5. Address warnings and suggestions shown by zxcvbn — they often point at the exact pattern weakening the password.
  6. Use the "Show / Hide" toggle only when you trust your environment; click "Clear" when finished.
  7. Need to create a strong password? Open the Password Generator Tool.

Important Notes

  • Privacy: Your password is processed entirely in your browser and is never sent anywhere. This tool is for self-assessment, not authentication. No password is stored, logged, or cached — there is no history feature by design.
  • Heuristic estimate: zxcvbn approximates the number of guesses an informed attacker would need; it is not a cryptographic proof. Two passwords with similar bit-counts can crack at very different real-world speeds.
  • Bundled dictionary: zxcvbn 4.4.2 ships with the Top ~30,000 common-password list (Burnett 10K + xato.net 10K + others), English/American word frequency lists, surnames and first names from US census, and major keyboard layouts (QWERTY, Dvorak, numeric keypad).
  • Crack-time assumptions: Online throttled = 100 guesses/hour. Online unthrottled = 10 guesses/second. Offline slow-hash (e.g., bcrypt with cost 10) ≈ 10,000 guesses/second. Offline fast-hash (unsalted MD5/SHA1 on GPU) ≈ 10¹⁰ guesses/second. Modern GPUs can far exceed these for weak hashes.
  • Naive entropy (length × log2(pool)) is a pure upper bound assuming each character is independently uniform. Real human-chosen passwords are usually far less random — that is why zxcvbn's estimate is usually lower.
  • No breach lookup: This tool does not query "Have I Been Pwned" or any external breach-check service. To check if a password has appeared in known data breaches, use a server-side or k-anonymity lookup separately, after you have verified the destination.
  • Use a password manager for unique, high-entropy passwords for every account. Re-using even a strong password defeats most of its strength.
  • Browser support: Modern browsers with ES5 support (all browsers since 2015). zxcvbn is loaded as a self-hosted ~800 KB minified file from this site (no third-party CDN).
  • Japanese password detection: zxcvbn's bundled dictionary is English-centric. Japanese passwords (e.g., common Japanese words in romaji, Japanese names, dates in Japanese format) may not be detected as weak. Consider applying additional language-specific blacklists in production.

Third-Party Libraries:


References:
Tech Blog with curated related content
Web Tools Collection

Written by Hidekazu Konishi