Password Strength Checker

Test password entropy, crack time, weak patterns, and breach exposure.

Check password strength before you reuse it

Use this checker to spot short passwords, common patterns, low entropy, and known breach exposure. If a password is weak or reused, replace it with a new random password or passphrase.

Password Generator

Create a strong random replacement.

Passphrase Generator

Generate memorable random-word passwords.

WiFi Password Generator

Create secure router passwords.
Back to Password Generator
100% Client-Side No Data Sent to Server No Rate Limits No Signup Required

Latest Articles

View all
How to Create a Strong Password: The Complete Security Guide

How to Create a Strong Password: The Complete Security Guide

Learn how to create strong passwords with practical tips on length, complexity, passphrases, password managers, and 2FA. Updated for 2026.
The 200 Most Common Passwords in 2026 (Is Yours on This List?)

The 200 Most Common Passwords in 2026 (Is Yours on This List?)

Check the 200 most common passwords of 2026. If yours is on this list, change it immediately. See how fast hackers can crack each one.
Passphrase Generator: Why 4 Random Words Beat P@$$w0rd

Passphrase Generator: Why 4 Random Words Beat P@$$w0rd

Learn why random-word passphrases can be easier to type than complex passwords, when they are strong enough, and when to use more words.

Frequently Asked Questions

Is my password sent to any server?
No. All strength analysis happens locally in your browser. For the breach check, only the first 5 characters of the SHA-1 hash are sent (k-anonymity), so your full password is never transmitted.
What is password entropy?
Entropy measures the randomness of a password in bits. Higher entropy means more possible combinations and a stronger password. A password with 80+ bits of entropy is considered very strong.
How does the breach check work?
We use the Have I Been Pwned API with k-anonymity. Your password is hashed with SHA-1, and only the first 5 characters of the hash are sent to the API. The API returns all matching hashes, and the comparison happens locally in your browser.
What is a good crack time?
A password that would take centuries or millennia to crack at 10 billion guesses per second is considered very strong. Anything under a year is weak by modern standards.
What patterns does it detect?
The checker looks for sequential characters (abc, 123), repeated characters (aaa), keyboard patterns (qwerty), common substitutions (p@ssw0rd), and dictionary words.