ToolJutsu
All tools
Web Compliance Tools

Password Strength Checker

Check how strong a password really is.

100% private: your password is checked entirely inside this browser tab. It is never sent to a server, never logged and never stored — it disappears the moment you close the tab.

Enter a password above to see its strength score, estimated crack time and tailored advice. Nothing leaves your device.

Need a new one? Build a strong password with the Password Generator or a memorable one with the Passphrase Generator.
Processed on your device. We never see your files.

How to use Password Strength Checker

What this tool does

The Password Strength Checker estimates how hard a password would be for an attacker to guess. As you type, it shows a strength score from 0 to 4 on a labelled meter — Very weak through Very strong — an estimated time to crack, the specific weaknesses found, concrete suggestions for improvement, and a breakdown of the password’s length and character composition.

Crucially, the entire analysis runs inside your browser. Your password is never transmitted, never logged, and never stored. There is a show/hide toggle on the input so you can verify what you typed without exposing it to anyone nearby.

Why password strength is not just length

A long password is not automatically a strong one. “Password123!” is twelve characters and uses upper case, lower case, a digit, and a symbol, yet it is one of the most predictable passwords in existence. Attackers do not try random combinations first — they try dictionary words, known leaked passwords, names, dates, keyboard patterns, and obvious substitutions like swapping “3” for “e”. A password that follows any of those patterns falls quickly no matter how many character types it contains.

This tool uses the zxcvbn estimator, which models exactly those attacker strategies. It estimates how many guesses a realistic attack would need, then maps that to the 0-4 score. That is why a short, genuinely random string can beat a long but pattern-following phrase, and why the written feedback matters as much as the number.

How to use it

  1. Type or paste a password into the input field. The check runs automatically as you type.
  2. Use the eye icon to show or hide the characters — handy for confirming a paste without leaving the password visible on screen.
  3. Read the strength meter and its label, the estimated crack time, and the composition panel showing length and which character types are present.
  4. Act on the feedback: the warning explains the main weakness, and the suggestions tell you how to fix it.
  5. Try the sample button to see how the tool reacts to a famously weak pattern.

How to read the result

The meter and its label are the headline. A score of 0 or 1 is genuinely weak and should be replaced for any account that matters. A score of 2 is borderline. Scores of 3 and 4 are strong. The crack time gives a rough sense of scale but should not be trusted as a precise promise — a leaked or poorly-hashed password can fall far faster. The composition panel is informational: more character types help, but they never rescue a predictable password.

Privacy — read this

This is the part that matters most. Your password is analysed entirely on your own device. Nothing you type is sent over the network, saved to a server, or written to any log. The password exists only in this page’s memory while the tab is open and is erased when you close it. That local-only design is the whole point: it lets you safely test passwords you actually use. A tool that sends your password to a server — even “just to check it” — gives you no way to know what becomes of it, so never trust one that does.

When a password scores low, generate a better one with the Password Generator for a random string, or the Passphrase Generator for something long and memorable, and keep every password unique.

Frequently asked questions

Is my password sent anywhere when I check it?
No — and this is the most important thing to understand about the tool. Your password never leaves your browser. There is no server call, no API request, no upload, and no logging of any kind. The entire strength analysis is performed by JavaScript that runs on your own device, inside the tab you have open. The password lives only in the page's memory while you are looking at it, and it is discarded the instant you close or refresh the tab. Nothing is saved between visits. Because the check is fully local, it is safe to test a password you genuinely use — unlike a tool that transmits what you type to a remote service, where you would have no way to know what happens to it.
How is the strength score worked out?
The tool uses zxcvbn, a well-known open-source strength estimator. Rather than just counting character types, zxcvbn looks for the patterns attackers actually exploit: dictionary words, common passwords, names, dates, keyboard runs like 'qwerty', repeated characters, and predictable substitutions such as a zero for an 'o'. It estimates how many guesses a realistic attacker would need and maps that to a score from 0 to 4. That is why a short random string can score higher than a long but predictable phrase.
What does the estimated crack time actually mean?
It is an estimate of how long a determined attacker would take to guess the password by trying candidates offline against a slow, well-designed password hash, at roughly ten thousand guesses per second. It is a guide, not a guarantee. A fast attack on a weak hash, or a password that has already leaked in a data breach, can be broken far quicker regardless of this figure. Treat the crack time as a rough sense of scale, and treat the score and the written feedback as the more practical signals.
Should I change a password just because it scores low here?
If a password you use scores 0, 1, or 2, yes — it is worth replacing, especially for important accounts like email, banking, or anything holding payment details. A low score means the password follows a guessable pattern. The fastest fix is to generate a fresh one: use the Password Generator for a random string, or the Passphrase Generator for something long and memorable, then store it in a password manager so you never have to recall it.
Does a high score mean the password is completely safe?
A high score means the password resists guessing well, which is a big part of safety — but it is not the whole picture. A strong password is still compromised if it is reused across sites and one of them is breached, if it is phished, or if malware captures it. Use a unique password for every account, turn on two-factor authentication where you can, and never reuse a password you have entered somewhere you do not fully trust.

Related tools

Password Generator

Generate strong, configurable passwords.

Passphrase Generator

Generate memorable passphrases from a curated word list.

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes.

HMAC Generator

Generate HMAC signatures with the Web Crypto API.

UUID Generator

Generate v1 and v4 UUIDs in bulk.

Base64 Encoder & Decoder

Encode and decode Base64, with full UTF-8 support.