VPNRank.io

Password Strength Checker

Type a password below and see instantly how strong it really is: its entropy in bits, any weak patterns it contains, and how long a realistic attacker would need to crack it. Everything runs locally in your browser — the password is never transmitted, logged, or stored anywhere.

100% private: this check runs entirely in your browser. The password you type is never sent anywhere — no network request is made with it, nothing is logged, and it disappears when you leave the page. You can verify this in your browser's developer tools (Network tab).

Strength appears here as you type — nothing is submitted.

How Attackers Actually Crack Passwords

Hollywood shows a hacker guessing your dog's name at a login screen. Real password cracking looks nothing like that. The vast majority of cracked accounts fall to automated, industrial-scale attacks that never touch the login form at all — which is why the offline number in the table above is the one that should worry you.

The usual sequence starts with a data breach. A website gets compromised and its password database is stolen. Reputable sites don't store passwords in plain text — they store hashes, one-way mathematical fingerprints. But an attacker with the database can run guesses through the same hash function on their own hardware, completely offline, and compare the results. A single consumer GPU tests billions of guesses per second against fast hash functions like MD5 or SHA-1; a rig with eight of them reaches the tens of billions. That is where our 10-billion-guesses-per-second offline estimate comes from — it is an ordinary, achievable setup, not a nation-state supercomputer.

The attacker doesn't guess randomly, either. Cracking runs in escalating stages:

AttackHow it worksWhat it defeats
DictionaryTries wordlists first: leaked-password lists (millions of real passwords ranked by frequency), then dictionaries, names, dates, sports teamsAny real word, name, or previously leaked password — including everything in our top-200 list
Rule-basedApplies mangling rules to every dictionary word: capitalize the first letter, append 1 or 123 or the current year, swap a→@ and o→0"Summer2026!", "P@ssw0rd", "monkey123" — the tricks most people think make a password strong
Brute forceTries every possible combination of characters, shortest first — the attack our entropy math models directlyAnything short: all 8-character passwords, even fully random ones, fall within hours offline
Credential stuffingTakes email+password pairs from one breach and replays them at hundreds of other sites automaticallyPassword reuse — strength is irrelevant if the same password is already leaked somewhere else

Two takeaways follow directly. First, a password that looks complex but is built from a word plus predictable decoration is nearly worthless against rule-based attacks — the checker above penalizes exactly those constructions. Second, no amount of strength protects a password that's already leaked and reused, which is why our password leak checker is the natural companion to this page.

The Entropy Math, in Plain Words

Password strength is measured in bits of entropy. The idea is simple: how many yes/no questions would an attacker need to narrow down your exact password? Every added bit doubles the number of possibilities. A password with 40 bits of entropy has 2⁴⁰ — about a trillion — possible combinations; 41 bits has two trillion.

The basic formula is bits = log₂(charset size) × length. Each character drawn from a bigger pool carries more bits: lowercase-only gives about 4.7 bits per character, adding uppercase pushes it to 5.7, and the full keyboard (lowercase, uppercase, digits, symbols — 95 characters) yields about 6.6 bits per character. That's why length wins: one extra character adds a full 6.6 bits, while upgrading the character set of an existing password adds far less.

Password recipeEntropyOffline crack time (10¹⁰/sec)
8 chars, lowercase only~38 bits~21 seconds
8 chars, all classes~53 bits~7.5 days
12 chars, all classes~79 bits~1.7 million years
16 chars, all classes~105 bits~10¹⁴ years
4 random words (~25 chars)~77 bits*~500,000 years

*Passphrase entropy assumes words picked randomly from a large wordlist (~12.9 bits per word from a 7,776-word diceware list × 4 words, plus separators) — not four words you thought of yourself, which are far more predictable.

The catch — and the reason this checker doesn't just multiply two numbers — is that the formula assumes every character is chosen randomly. Humans don't do random. "abc123abc123" is 12 characters, but an attacker's software models sequences and repetition, so its real search cost is a fraction of the naive math. Our estimator therefore applies penalties: characters inside sequential runs (abc, 987), repeats (aaa), and keyboard walks (qwerty, asdfgh) mostly don't count, and anything matching our embedded top-200 common-passwords list — or a trivial variant of one — is capped near zero, because those are literally the first guesses any cracking rig makes.

How to Read Your Results

The table in the tool shows two very different attack speeds, and the gap between them is the point. The online estimate (10,000 guesses per second) models an attacker hammering a login form or API. In practice most services throttle far harder than this, lock accounts, or trigger CAPTCHAs — so even a mediocre password survives a while online. The offline estimate (10 billion guesses per second) models the serious scenario: your password's hash has been stolen in a breach and the attacker is grinding through guesses on their own GPUs with nothing slowing them down. Judge your password by the offline number.

VerdictEntropyWhat it means
Very weak< 28 bitsCracks instantly offline, and within days even through a throttled login form. Replace it today.
Weak28–35 bitsSeconds offline. Fine for a throwaway account you genuinely don't care about, nothing else.
Fair36–59 bitsSurvives online attacks but falls in hours-to-days offline. Not enough for email, banking, or anything with payment details.
Strong60–79 bitsYears-to-millennia offline. Solid for almost every account when paired with two-factor authentication.
Excellent80+ bitsBeyond realistic cracking for the foreseeable future — the standard a password manager produces by default.

Two honest caveats. Crack-time estimates assume the attacker knows nothing about you — if your password contains your pet's name or birth year, a targeted attacker's effective search space is tiny regardless of what any calculator says. And the numbers assume a fast hash; sites using slow, modern hashing (bcrypt, Argon2) cut attacker speed by factors of thousands. You can't know which a site uses, so plan for the worst case.

Length Beats Cleverness: Building Passwords That Survive

The single most effective upgrade is length made of genuinely random material. Two practical recipes work:

Random passwords from a generator. A 16–20 character string of random mixed characters lands deep in Excellent territory. You will never remember it — and you shouldn't try. Generate one with our password generator (which, like this tool, runs entirely in your browser) and store it in a password manager. This is the right answer for the 99% of logins you paste rather than type.

Random passphrases for things you must type. For the handful of secrets you enter by hand — your password manager's master password, your computer login, disk encryption — chain four or five words picked randomly from a large wordlist: plank-orbit-mango-drizzle. At roughly 13 bits per truly random word, five words clear 64 bits while remaining typeable and memorable. The critical word is "randomly": four words that occurred to you ("iloveparisinspring") follow language statistics that cracking software models very well.

Just as important as strength is uniqueness. Credential stuffing — replaying leaked email+password pairs across other sites — is arguably the top account-takeover method today, and it works because people reuse passwords. One password per account means one breach compromises one account instead of your entire digital life. Nobody manages 100+ unique strong passwords in their head; a password manager is the tool that makes the whole strategy workable, and every major one encrypts your vault with AES-256 encryption locked by your master passphrase.

Why MFA Changes the Game

Even an Excellent password can be phished, shoulder-surfed, or leaked in plain text by a careless website. Multi-factor authentication (MFA) is the safety net: an attacker who has your password still can't log in without a second proof — a code from your phone, a hardware key, or a biometric check. Microsoft and Google have both published figures showing MFA blocks the overwhelming majority of automated account-takeover attempts.

Not all second factors are equal, though. Authenticator apps (TOTP codes) are a big step up from SMS codes, which can be intercepted through SIM-swapping. Hardware security keys and passkeys are stronger still, because they cryptographically verify the site's identity and are effectively unphishable. The pragmatic priority list: enable MFA on your email account first (it's the reset key to everything else), then banking, then your password manager, preferring an authenticator app or passkey over SMS wherever the option exists.

MFA complements, not replaces, password strength: the password is still the only lock on breached databases cracked offline, where no second factor is asked for.

Strong Passwords Still Travel Over Networks

A password is only as safe as the path it travels. HTTPS protects the password itself in transit, but on an open network — airport Wi-Fi, hotel Wi-Fi, a café hotspot — the network operator and anyone else on it can still see which sites you visit, harvest metadata, and attempt downgrade or spoofing attacks against sloppy apps. A VPN closes that layer by wrapping all your traffic in its own encryption before it leaves your device; our privacy-focused VPN rankings cover the providers that do this properly, with NordVPN and ExpressVPN the most consistent performers in our tests. Several top VPN subscriptions now bundle a password manager and breach alerts, which pairs neatly with the habits on this page.

The full hygiene loop looks like this: generate unique random passwords (generator), verify anything you typed yourself here, check whether your existing passwords have already leaked (leak checker), turn on MFA, and encrypt the connection you log in over (best VPNs).

Password Strength Questions, Answered

Is it safe to type a real password into this page?

Yes — the analysis runs entirely in your browser's memory and the password is never transmitted. You can confirm it yourself: open your browser's developer tools, watch the Network tab, and type — no request fires. That said, the healthiest habit with any strength checker is to test a password of the same style and length rather than the exact one, then apply the verdict.

Why does my "complex" password score badly?

Probably because it's a dictionary word wearing a costume. "P@ssw0rd2026!" ticks every complexity checkbox — uppercase, symbol, digits — but rule-based cracking undoes capitalization, leet swaps, and appended years automatically. The checker mirrors that: it caps the score for anything that reduces to a common password once the decoration is stripped.

How accurate are the crack-time estimates?

They're order-of-magnitude estimates, not guarantees. Real speed depends on the hash the breached site used (slow hashes like bcrypt cut attacker speed thousands-fold), the attacker's hardware, and whether they know anything about you. Treat the numbers as a ranking tool: a password showing centuries is meaningfully better than one showing minutes, even if neither figure is exact.

Should I change my passwords every few months?

No — current guidance from NIST dropped forced periodic changes, because they push people toward weak incremental patterns (Summer1 → Summer2). Change a password when there's a reason: the service was breached, the password appears in a leak, you shared it, or it scores poorly here. Otherwise, a strong unique password can stay put.

Is a long passphrase really as strong as random characters?

If the words are chosen randomly from a large list, yes — five diceware-style words carry roughly the same entropy as an 11-character fully random password, and you can actually type them. Note this checker scores passphrases character-by-character, so it may modestly overrate a passphrase whose words an attacker would guess word-by-word; random word selection is what keeps the real-world math honest.

My password is strong. Do I still need to worry about breaches?

Yes. Strength protects against guessing, not against a site storing your password badly or leaking it outright. If a service is breached and passwords leak in plain text, an Excellent rating changes nothing. That's why unique passwords per site plus MFA matter, and why it's worth running important passwords through our password leak checker periodically.

A Strong Password Is Only Half the Job

On public Wi-Fi, your logins travel through networks you don't control. Pair strong passwords with an encrypted connection — see the VPNs we actually tested and ranked.

See Our Top-Rated VPNs

8 VPNs benchmarked on real hardware — see how we test.