🔐 Password Strength Checker

By ToolNimba Editorial Team · Updated 2026-06-19

Password

Your password stays in this browser. It is never sent over the network and is never stored. Avoid testing a password you actively use on a device you do not trust.

Start typing above to see an estimate of your password's strength.

This password strength checker estimates how hard a password would be to guess by working out its entropy in bits. Type a password and you will instantly see the estimated entropy, a rating from very weak to excellent, and which character classes (lowercase, uppercase, digits, symbols) you have used. Everything happens inside your browser: the password is never sent over the network and is never stored.

What is the Password Strength Checker?

Password strength is about unpredictability, not secrecy of the method. Attackers know the rules people follow, so a strong password is one that is hard to guess even when the attacker knows how it was made. The standard way to measure that unpredictability is entropy, measured in bits. Each extra bit doubles the number of possibilities an attacker must try, so a 60-bit password is not slightly harder than a 50-bit one, it is over a thousand times harder.

This tool estimates entropy with the classic formula: entropy = length × log2(pool size). The pool size is the number of distinct characters that could appear, inferred from the classes you actually use. Lowercase letters add 26 to the pool, uppercase another 26, digits add 10, and common symbols add 33, for a maximum pool of 95 printable ASCII characters. A 12-character password using all four classes has a pool of 95 and an entropy of about 79 bits, which is comfortably strong against offline cracking.

There is an important catch. This formula assumes every character is chosen at random and independently. Real human passwords are not random: "Password1!" hits all four classes and looks long, but it is a dictionary word plus a predictable suffix, so a real attacker cracks it in seconds despite a flattering bit count. Treat the entropy here as an upper bound for the structure you chose, not a guarantee. The most reliable way to actually reach a high bit count is length plus genuine randomness, for example a passphrase of several random words or output from a password manager.

When to use it

Sanity-checking a new password before you set it on an important account.
Teaching yourself or others why a longer passphrase beats a short complex password.
Comparing two candidate passwords to see which has more entropy for the same effort.
Demonstrating in a class or workshop how character variety and length change strength.

How to use the Password Strength Checker

Type or paste a password into the input field.
Use the Show button if you want to see what you typed (only you can see it).
Read the estimated entropy in bits and the strength rating shown on the bar.
Check the character-class chips to see which categories you used and which you could add.
Aim for at least 60 bits for ordinary accounts and 80 or more for important ones.

Formula & method

entropy (bits) = length × log₂(pool size). Pool sizes: lowercase 26, uppercase 26, digits 10, symbols 33. The pool is the sum of the classes that appear at least once.

Worked examples

The 8-character lowercase password "password".

Classes present: lowercase only, so pool = 26.
log2(26) = 4.700 bits per character.
entropy = 8 × 4.700 = 37.6 bits.

Result: About 37.6 bits, rated Reasonable by the formula but trivially weak in reality because it is a dictionary word.

A 12-character password mixing upper, lower and digits, like "Rk7Pq2Mz9Tb".

Classes present: lowercase + uppercase + digits, so pool = 26 + 26 + 10 = 62.
log2(62) = 5.954 bits per character.
entropy = 12 × 5.954 = 71.5 bits.

Result: About 71.5 bits, rated Strong, because the characters are random rather than a word.

A 16-character password using all four classes.

Classes present: lowercase + uppercase + digits + symbols, so pool = 95.
log2(95) = 6.570 bits per character.
entropy = 16 × 6.570 = 105.1 bits.

Result: About 105.1 bits, rated Strong, well above the threshold for high-value accounts.

Strength ratings used by this tool, keyed to estimated entropy

Rating	Entropy range	Rough meaning
Very weak	Under 28 bits	Cracked almost instantly
Weak	28 to 35 bits	Falls quickly to a basic attack
Reasonable	36 to 59 bits	Resists casual guessing, not a determined attacker
Strong	60 to 127 bits	Resists realistic offline cracking
Excellent	128 bits and up	Beyond any feasible brute-force search

Entropy by length when all four character classes are used (pool = 95)

Length	Approx. entropy	Rating
8 characters	52.6 bits	Reasonable
12 characters	78.8 bits	Strong
16 characters	105.1 bits	Strong
20 characters	131.4 bits	Excellent

Common mistakes to avoid

Trusting the bit count for a dictionary word. Entropy here assumes random characters. "Sunshine1!" scores well on length and variety but is a common word with a predictable suffix, so real attackers break it fast. Randomness matters more than the formula can see.
Adding symbols instead of length. Each extra character multiplies the search space, so length is the strongest lever. A long passphrase of random words usually beats a short password stuffed with symbols.
Reusing a strong password everywhere. A high entropy password is only as safe as the weakest site that stores it. If one site leaks, reuse exposes every account. Use a unique password per account, ideally via a password manager.
Assuming the meter approves the password as safe. This tool measures theoretical entropy for the structure you chose. It cannot know if the password has already appeared in a breach or follows a guessable pattern, so a high rating is necessary but not sufficient.

Glossary

Entropy: A measure of unpredictability in bits. Each additional bit doubles the number of guesses needed, so higher is exponentially harder to crack.
Bit: A single unit of entropy. A password with n bits has 2 to the power n equally likely possibilities under the random assumption.
Character pool: The set of distinct characters that could appear in the password, inferred from the classes used. Lowercase contributes 26, uppercase 26, digits 10, symbols 33.
Brute-force attack: Trying every possible combination of characters in order until the correct one is found. Entropy estimates how long this would take.
Passphrase: A password made of several words, valued because its length can give very high entropy while staying easier to remember.

Frequently asked questions

How strong is my password?

Type it into the checker above and it will estimate the entropy in bits and give a rating from very weak to excellent. As a guide, aim for at least 60 bits for everyday accounts and 80 or more for important ones such as email or banking.

What is password entropy?

Entropy is a measure of how unpredictable a password is, expressed in bits. It is calculated as length multiplied by the base-2 logarithm of the character pool size. Each extra bit doubles the number of guesses an attacker must make.

Is my password sent anywhere when I check it?

No. The entire calculation runs in your browser using local JavaScript. Your password is never transmitted over the network, never logged, and never stored after you leave the page.

How many bits of entropy is enough?

For ordinary online accounts, roughly 60 bits is considered strong against realistic offline cracking. For high-value accounts aim for 80 bits or more. Anything at or above 128 bits is beyond any feasible brute-force search.

Why does the checker rate a long word as weak in practice?

The entropy formula assumes characters are chosen at random. A dictionary word, name, or keyboard pattern is highly predictable, so a real attacker cracks it far faster than the bit count suggests. Use random characters or random words for a true high score.

Is a longer password or a more complex one better?

Length usually wins. Adding one character multiplies the search space by the pool size, while adding a symbol type only changes the per-character value. A long passphrase of random words is both stronger and easier to remember than a short complex string.