siutil. Password Strength Checker
processed in your browser · never uploaded
 

Nothing you type is uploaded — strength is computed entirely in your browser.

Enter a password above to check its strength.

A strength checker for when you're choosing a new password or want to know whether the one you already use is safe. Type a password and it instantly rates it on a five-step meter (very weak to very strong) and shows the estimated entropy (in bits), the length, how many distinct characters are in play (the pool size), and roughly how long it would take to crack — for both an online attack (about 1,000 guesses per second) and an offline fast-hash attack (about 10 billion guesses per second). The strength comes from how wide the search space is (based on which character types you use — uppercase, lowercase, digits, symbols, and other characters such as Japanese) multiplied by length, while sequences like abc or 123 and repeats like aaa are discounted because they're easy to guess. Very common passwords such as "password" or "123456" are flagged as crackable instantly, and weaknesses like being too short, using only one character type, or digits only come with concrete suggestions to improve. Because passwords are highly sensitive, this tool does everything entirely inside your browser (JavaScript) and never sends, stores, or logs the password you enter to any server. The times and ratings shown assume a particular attack model and are only a guide — in practice, never reusing a password and making it long enough matter most. Pair it with the Password Generator tool to create a strong new password, or the Hash Generator to compute hashes.

How to use

  1. Type or paste the password you want to test into the input box.
  2. The strength meter, entropy, length, character types and estimated crack time appear instantly.
  3. Follow the suggestions — add length and mix character types — to make it stronger. Nothing is sent anywhere.

FAQ

Is the password I enter sent or stored anywhere?

No. The check runs entirely in your browser with JavaScript, and the password you type is never sent, stored, or logged to a server. No network request is made, so you can safely test real passwords.

How is the strength (entropy in bits) calculated?

It estimates how many possibilities each character could be (from the character types used — uppercase, lowercase, digits, symbols, other) and multiplies by length to get a bit count. Sequences like abc or 123 and repeats like aaa discount the effective length because they're predictable, and common passwords are rated very low. It's a guide, not a guarantee.

What does the "time to crack" mean?

It's a rough estimate of how long, on average, a brute-force attacker would take to try the possibilities. We show two cases: an online attack on a web service (~1,000 guesses/s) and an offline fast attack on a leaked hash (~10 billion guesses/s). Real speeds vary a lot by attack method and hashing, so treat it as a reference.

What makes a password strong?

Length matters most: aim for at least 12 characters, ideally 16+, and mix uppercase, lowercase, digits and symbols. For memorability, a long passphrase of unrelated words also works well. Above all, never reuse the same password across services.

How do I create a new strong password?

Use this site's Password Generator to produce strong passwords or passphrases with cryptographically secure randomness, then paste one here to confirm its estimated bit strength.