Password Strength Checker

Estimated entropy and crack time for any password.

Nothing you type is sent to the server — this runs entirely in your browser.

Entropy
Offline attack time
Rating

    What makes a password strong

    Strength is measured in bits of entropy — roughly, how many guesses an attacker needs to brute-force the password. Each extra bit doubles the guesses. Anything under 40 bits is weak; 60+ is safe against offline attacks; 80+ is overkill for most purposes.

    Length beats complexity. 'correct horse battery staple' — four random common words — has more entropy and is easier to remember than 'P@ssw0rd!' The latter hits every 'mix in symbols' rule but is in every cracker dictionary. Better: use a password manager to generate unique 20-character random strings for every account. You only have to remember the manager's master password.

    Frequently asked questions

    How is password strength measured?
    Entropy in bits. Each additional bit doubles the number of guesses required. A password with 40 bits of entropy takes about a trillion attempts to brute-force. Below 30 bits is weak; 60+ is strong; 80+ is overkill for most consumer purposes. Entropy depends on length and character set variety.
    Is 'P@ssw0rd!' a strong password?
    No. It has decent entropy on paper but is on every password-cracking dictionary — the 'add numbers and punctuation to common words' pattern is the first thing attackers try. True randomness matters more than character-set mix. A 6-word random passphrase (using diceware or similar) easily beats it.
    What actually breaks passwords?
    Three attacks, in rough order: (1) credential stuffing — attackers reuse leaked passwords on other sites, which is why never-reused passwords matter more than strong ones; (2) phishing — tricking you into typing it somewhere; (3) brute force — only relevant for weak passwords or offline attacks on stolen hashes. A password manager plus 2FA defeats 1 and 2.
    Should I use a password manager?
    Yes, unambiguously. Free ones (Bitwarden, KeePass) are excellent. A password manager lets you use unique 20-character random passwords everywhere without having to remember any of them. Combined with hardware 2FA (YubiKey) or TOTP (Authy/Google Authenticator), this defeats >99% of real-world attacks.

    Credit Card Payoff

    Months to payoff and total interest, two ways.

    Paycheck Calculator

    Take-home pay after federal, FICA, and state taxes.

    Refinance Calculator

    When does the monthly savings cover closing costs?