Password Strength Checker
Evaluate password strength with scoring based on length, character variety, and pattern detection.
Back to all tools on ToolForge
Password
Strength Analysis
Score:
0 / 100
Rating: Not entered
Criteria Checklist
Suggestions
Password Entropy
About Password Strength Checker
This password strength checker evaluates passwords using multiple criteria: length, character variety (lowercase, uppercase, digits, symbols), pattern detection (repeating characters, sequences, common words), and entropy calculation. Each factor contributes to an overall strength score.
All analysis happens locally in your browser—passwords are never sent to any server. Use this tool to test password ideas before creating accounts, but never enter passwords you're currently using.
Password Strength Scoring Algorithm
// Password Strength Checker Implementation
function evaluatePassword(pwd) {
let score = 0;
let maxScore = 100;
let criteria = [];
let suggestions = [];
// Length scoring (max 40 points)
if (pwd.length >= 16) score += 40;
else if (pwd.length >= 12) score += 30;
else if (pwd.length >= 8) score += 20;
else if (pwd.length >= 6) score += 10;
// Character variety (max 30 points)
let hasLower = /[a-z]/.test(pwd);
let hasUpper = /[A-Z]/.test(pwd);
let hasDigit = /[0-9]/.test(pwd);
let hasSymbol = /[^A-Za-z0-9]/.test(pwd);
let variety = [hasLower, hasUpper, hasDigit, hasSymbol].filter(Boolean).length;
score += variety * 7.5; // up to 30 points
// Pattern penalties (max -30 points)
if (/^(.)\1+$/.test(pwd)) score -= 20; // all same char
if (/123|abc|qwer|password/i.test(pwd)) score -= 15;
if (/^[a-z]+$/.test(pwd) || /^[0-9]+$/.test(pwd)) score -= 10;
// Cap score
score = Math.max(0, Math.min(100, score));
return { score, criteria, suggestions };
}
// Entropy calculation
function calculateEntropy(pwd) {
let poolSize = 0;
if (/[a-z]/.test(pwd)) poolSize += 26;
if (/[A-Z]/.test(pwd)) poolSize += 26;
if (/[0-9]/.test(pwd)) poolSize += 10;
if (/[^A-Za-z0-9]/.test(pwd)) poolSize += 32;
// Entropy = log2(R^L) = L * log2(R)
if (poolSize === 0) return 0;
return pwd.length * Math.log2(poolSize);
}
Password Strength Ratings
| Score | Rating | Time to Crack* | Recommendation |
|---|---|---|---|
| 0-20 | Very Weak | Instant | Do not use |
| 21-40 | Weak | Seconds to minutes | Add length and variety |
| 41-60 | Medium | Hours to days | Acceptable for low-risk |
| 61-80 | Strong | Months to years | Good for most accounts |
| 81-100 | Very Strong | Centuries+ | Excellent for high-value |
*Crack time assumes offline brute-force attack at 10 billion guesses/second
Character Pool Sizes for Entropy
| Character Set | Pool Size (R) | Example |
|---|---|---|
| Lowercase only | 26 | abcdefgh |
| Lowercase + Digits | 36 | abc123 |
| Alphanumeric (mixed case) | 62 | AbC123 |
| Printable ASCII | 94 | AbC123!@# |
| Numeric PIN | 10 | 123456 |
Entropy Reference Table
| Password Type | Length | Pool | Entropy (bits) |
|---|---|---|---|
| 4-digit PIN | 4 | 10 | 13.3 bits |
| 6-digit PIN | 6 | 10 | 19.9 bits |
| 8 char lowercase | 8 | 26 | 37.6 bits |
| 8 char mixed+symbols | 8 | 94 | 52.6 bits |
| 12 char mixed+symbols | 12 | 94 | 78.8 bits |
| 16 char mixed+symbols | 16 | 94 | 105.1 bits |
| 4-word passphrase | ~20 | 7776 | ~51.7 bits |
| 6-word passphrase | ~30 | 7776 | ~77.5 bits |
Common Password Patterns to Avoid
- Dictionary words: password, admin, welcome, dragon, master
- Simple sequences: 123456, abcdef, qwerty, 111111
- Keyboard patterns: qwer, asdf, zxcv, 1qaz2wsx
- Personal info: birthdays, names, phone numbers, addresses
- Simple substitutions: P@ssw0rd, L33t, @dmin (attackers know these)
- Repeating patterns: aaaaaa, 123123, abcabc
- Date patterns: 2024, 0101, 1990 (especially at end)
Password Best Practices
- Use a password manager: Generate and store unique 16+ character passwords for each account
- Enable 2FA: Two-factor authentication protects even if password is compromised
- Use passphrases: 4-6 random words are memorable and high-entropy
- Never reuse passwords: Each account needs a unique password
- Change after breaches: Monitor Have I Been Pwned and change exposed passwords
- Length over complexity: A long passphrase beats short complex passwords
Frequently Asked Questions
- What makes a password strong?
- A strong password has: length of 12+ characters (longer is better), mix of uppercase and lowercase letters, numbers, and symbols, no dictionary words or common patterns, no personal information (names, dates), and uniqueness (not reused across sites). Length is the most important factor for password strength.
- How is password entropy calculated?
- Password entropy = log2(R^L) where R is the character pool size and L is password length. For example: lowercase only (R=26), 8 chars = log2(26^8) ≈ 37.6 bits. Mixed case + digits + symbols (R≈94), 12 chars = log2(94^12) ≈ 78.8 bits. Higher entropy means more guesses required to crack.
- What password length is recommended?
- Minimum 8 characters for low-security accounts, 12+ characters for email and financial accounts, 16+ characters for high-value targets. NIST recommends 8-64 characters for user-chosen passwords. For password managers, 16+ random characters is ideal.
- Why shouldn't I reuse passwords?
- Password reuse creates a single point of failure: if one site is breached, attackers try the same credentials on other sites (credential stuffing). Using unique passwords per site limits damage from any single breach. Password managers help generate and store unique passwords.
- Are password phrases better than passwords?
- Yes, passphrases (4+ random words like 'correct-horse-battery-staple') are often stronger and easier to remember than short complex passwords. They provide high entropy through length while being memorable. Avoid common phrases, quotes, or predictable word combinations.
- What are common password mistakes?
- Common mistakes: using 'password' or '123456', adding simple patterns (Password1!), using personal info (birthdays, names), reusing passwords across sites, writing passwords on sticky notes, sharing passwords via email/text, and not using 2FA when available.