Free password strength checker
See how strong a password really is, how many bits of entropy it carries, and how long it survives an attack. The estimate is computed on your device, so the password you type never leaves the page. Nothing is kept, and you never sign in.
Nothing you type here leaves this page. The estimate is computed on your device, and the password is never sent anywhere.
Type a password above to see its strength, its entropy in bits, and the patterns an attacker would exploit.
How the password strength checker works
Runs entirely in your browser
Type a password
Enter the password you want to test. It stays in the browser tab and is never sent anywhere, which is the only safe way to test a password you actually use.
See the estimate
Your device matches the password against dictionaries of common passwords, words, and names, then recognises leetspeak, keyboard walks, repeats, and dates, and counts the guesses needed.
Fix what it found
Read the crack time for each attack scenario, see which pattern gave the password away, and replace it with a random one if it does not hold up.
Private by design: nothing leaves your browser
Think about what a password strength checker asks you to do: type a password you rely on into someone else's web page. If that page scores it on a server, you have handed the password over. This one never makes a network request:
100% client-side
The estimate is computed on your device. The page downloads the estimator once, then scores every password offline. Your password is never part of a request and never appears in a server log.
Nothing stored or logged
No account, no analytics on what you type, no history. Reload the page and the password is gone from memory.
Open and verifiable
The estimate comes from zxcvbn, the open-source estimator built at Dropbox and used across the industry. No scoring rules we invented ourselves.
Why character-type rules mislead
- An attacker guesses common passwords, then words, then words with predictable substitutions, long before trying random strings.
- P@ssw0rd123 has four character classes and falls in seconds, because "password" plus leetspeak plus a trailing year is one of the first things a cracking tool tries.
- Length beats variety: six random words outlast a short password stuffed with symbols.
- Entropy in bits is the honest measure, because it counts guesses rather than rules satisfied.
Built for developers and security-conscious teams
Anyone who has to judge whether a password will hold. BlockSurvey applies the same respect for other people's data to research, with zero-knowledge surveys that encrypt responses on the device before they reach a server.
Developers
Decide what your signup form should accept, and see why a "one uppercase, one digit" rule passes weak passwords and blocks strong ones.
Security & IT teams
Audit a shared credential before rotation, with an entropy figure and crack times you can paste into a ticket.
Privacy-conscious users
Check a password you already use, safely, because it is scored on your own machine and never transmitted.
Building something that handles sensitive data?
BlockSurvey runs on zero-knowledge surveys, so the responses you collect are never sold or mined. Responses are encrypted where they are typed, not after they arrive.