Free password strength checker

See how strong a password really is, how many bits of entropy it carries, and how long it survives an attack. The estimate is computed on your device, so the password you type never leaves the page. Nothing is kept, and you never sign in.

Nothing you type here leaves this page. The estimate is computed on your device, and the password is never sent anywhere.

Type a password above to see its strength, its entropy in bits, and the patterns an attacker would exploit.

How the password strength checker works

Runs entirely in your browser

1

Type a password

Enter the password you want to test. It stays in the browser tab and is never sent anywhere, which is the only safe way to test a password you actually use.

2

See the estimate

Your device matches the password against dictionaries of common passwords, words, and names, then recognises leetspeak, keyboard walks, repeats, and dates, and counts the guesses needed.

3

Fix what it found

Read the crack time for each attack scenario, see which pattern gave the password away, and replace it with a random one if it does not hold up.

Private by design: nothing leaves your browser

Think about what a password strength checker asks you to do: type a password you rely on into someone else's web page. If that page scores it on a server, you have handed the password over. This one never makes a network request:

01

100% client-side

The estimate is computed on your device. The page downloads the estimator once, then scores every password offline. Your password is never part of a request and never appears in a server log.

02

Nothing stored or logged

No account, no analytics on what you type, no history. Reload the page and the password is gone from memory.

03

Open and verifiable

The estimate comes from zxcvbn, the open-source estimator built at Dropbox and used across the industry. No scoring rules we invented ourselves.

Why character-type rules mislead

  1. An attacker guesses common passwords, then words, then words with predictable substitutions, long before trying random strings.
  2. P@ssw0rd123 has four character classes and falls in seconds, because "password" plus leetspeak plus a trailing year is one of the first things a cracking tool tries.
  3. Length beats variety: six random words outlast a short password stuffed with symbols.
  4. Entropy in bits is the honest measure, because it counts guesses rather than rules satisfied.

Built for developers and security-conscious teams

Anyone who has to judge whether a password will hold. BlockSurvey applies the same respect for other people's data to research, with zero-knowledge surveys that encrypt responses on the device before they reach a server.

Developers

Decide what your signup form should accept, and see why a "one uppercase, one digit" rule passes weak passwords and blocks strong ones.

Security & IT teams

Audit a shared credential before rotation, with an entropy figure and crack times you can paste into a ticket.

Privacy-conscious users

Check a password you already use, safely, because it is scored on your own machine and never transmitted.

Building something that handles sensitive data?

BlockSurvey runs on zero-knowledge surveys, so the responses you collect are never sold or mined. Responses are encrypted where they are typed, not after they arrive.

Frequently asked questions

Is this password strength checker free?

Yes, completely free with no sign-up and no limit on how many passwords you check.

Is my password sent to a server?

No. The password stays in your browser's memory and is never transmitted, logged, or stored. The first time you type, the page downloads the estimator and its dictionaries, which is the only network request it makes; your password is never part of it, and after that the checker runs offline. Open your browser's network tab and you can watch this yourself. Never type a password into a strength checker that scores it on a server, because at that moment the password has left your control.

How is the strength score calculated?

The checker estimates how many guesses an attacker needs, rather than counting character types. It matches your password against dictionaries of common passwords, English words, names, and surnames, then recognises leetspeak substitutions, keyboard walks, repeats, sequences, and dates. The score is the base-2 logarithm of the guess count, which is the password's entropy in bits.

Why does a password with symbols and numbers still score badly?

Because an attacker does not guess randomly. A password such as P@ssw0rd123 uses four character classes and looks strong to a naive calculator, but a cracking tool tries the word 'password' with common substitutions and a trailing year almost immediately. The checker reports the pattern it recognised, so you can see why the score is low.

What is password entropy, in bits?

Entropy in bits measures how many guesses stand between an attacker and your password. Each additional bit doubles that number, so a 60-bit password takes about 2^60 guesses to exhaust. Anything at or above 75 bits resists an offline attack on a stolen password database, and at or above 100 bits leaves a wide margin.

Which crack time should I pay attention to?

Look at the offline fast-hashing row if you care about a breach of a service you use, because that is what happens when a password database leaks and the site hashed poorly. The online rows apply when an attacker has to guess through a login form, which rate limiting and lockouts slow down enormously.

Can I use this offline?

Yes. Load the page once, disconnect from the internet, and the checker keeps working because the estimator runs in your browser.

What should I do if my password scores badly?

Do not patch it by adding a symbol or a digit on the end, because that is exactly what a cracking tool tries next. Generate a new random one with the secure password generator and store it in a password manager, so its length and randomness never depend on what you can remember.
Scripts are blocked. This site won’t work properly. If you’re using Brave, click the Shields icon and turn off Block scripts. Otherwise disable your ad blocker for this site.