Password Strength Checker

Test password entropy, crack time, weak patterns, and breach exposure.

Check password strength before you reuse it

Use this checker to spot short passwords, common patterns, low entropy, and known breach exposure. If a password is weak or reused, replace it with a new random password or passphrase.

Password Generator

Create a strong random replacement.

Passphrase Generator

Generate memorable random-word passwords.

WiFi Password Generator

Create secure router passwords.
Back to Password Generator
100% Client-Side No Data Sent to Server No Rate Limits No Signup Required

Latest Articles

View all
Are Password Generators Safe? What You Should Know

Are Password Generators Safe? What You Should Know

Are password generators safe to use? Learn how they work, whether they can be hacked or tracked, and how to tell a trustworthy generator from a risky one.
How Long Should a Password Be? (2026 Length Guide)

How Long Should a Password Be? (2026 Length Guide)

How long should a password be in 2026? Learn the ideal password length for email, banking, and WiFi, why length beats complexity, and what NIST recommends.
How to Create a Strong Password: The Complete Security Guide

How to Create a Strong Password: The Complete Security Guide

Learn how to create strong passwords with practical tips on length, complexity, passphrases, password managers, and 2FA. Updated for 2026.

Frequently Asked Questions

Is my password sent to any server?
No. All strength analysis happens locally in your browser. For the breach check, only the first 5 characters of the SHA-1 hash are sent (k-anonymity), so your full password is never transmitted.
What is password entropy?
Entropy measures the randomness of a password in bits. Higher entropy means more possible combinations and a stronger password. A password with 80+ bits of entropy is considered very strong.
How does the breach check work?
We use the Have I Been Pwned API with k-anonymity. Your password is hashed with SHA-1, and only the first 5 characters of the hash are sent to the API. The API returns all matching hashes, and the comparison happens locally in your browser.
What is a good crack time?
A password that would take centuries or millennia to crack at 10 billion guesses per second is considered very strong. Anything under a year is weak by modern standards.
What patterns does it detect?
The checker looks for sequential characters (abc, 123), repeated characters (aaa), keyboard patterns (qwerty), common substitutions (p@ssw0rd), and dictionary words.