Password Strength Checker
Test how strong your password is and get instant feedback
About the Password Strength Checker
Most people believe a complex password is automatically a strong one, but cryptographers measure strength through entropy — the number of guesses needed to crack it by brute force. A 16-character lowercase phrase can outperform an 8-character mix of symbols and numbers by billions of attempts. This password strength checker scores your password on a 0–4 entropy scale and shows you exactly why each score was assigned.
Security engineers, IT administrators, and anyone setting up accounts on sensitive systems use this tool to verify that a candidate password would survive a realistic attack. The tool detects common weaknesses — keyboard sequences like "qwerty" or "12345", repeated characters, and passwords that appear in known breach lists — then estimates crack times across three distinct threat scenarios: an offline attack against a fast hash (like MD5), an offline attack against a slow hash (like bcrypt), and a rate-limited online login attempt.
How to Use the Password Strength Checker
- Type or paste your candidate password into the input field.
- Read the strength bar: it fills from red (Very Weak, score 0) through amber (Fair, score 2) to green (Very Strong, score 4).
- Check the three estimated crack-time rows to understand the realistic risk under each attack model.
- Review the feedback list for specific, actionable suggestions — add uppercase letters, a symbol, or increase length — then retype and watch the score improve.
Why Use ToolForge’s Password Strength Checker
- Runs entirely in your browser — the password you type is never sent to any server, log, or database. The analysis is instantaneous and private.
- Goes beyond simple rules. The scoring engine checks for keyboard walk patterns, character repetition, and a list of the most commonly used passwords, rather than just counting character types.
- Three crack-time estimates give you a realistic threat model. A password that takes centuries to crack on bcrypt might fall in minutes against an MD5-hashed database stolen in a breach.
- Actionable feedback tells you exactly what to change rather than just labelling a password "weak" without explanation.
Frequently Asked Questions
Does this tool store or transmit my password?
No. The entire analysis runs in your browser using JavaScript. Nothing is sent to any server. You can disconnect from the internet and the tool will still work correctly.
Why does length matter more than complexity?
Entropy grows with each additional character because the attacker must try exponentially more combinations. Adding one lowercase character to a 12-character password increases the search space by a factor of 26. Adding a single symbol only expands the charset from roughly 62 to 92 characters — far less impact than making the password longer.
What score should I aim for?
Score 3 (Strong) or 4 (Very Strong) is appropriate for anything important — banking, email, and work accounts. A score of 2 is acceptable only for low-stakes accounts where you use a unique password not reused elsewhere. Scores 0 and 1 are insecure regardless of the site.
What is the difference between offline fast hash and offline slow hash?
If a website stores passwords as MD5, SHA-1, or unsalted SHA-256 (fast hashes), an attacker with the stolen database can test billions of guesses per second on a GPU. Bcrypt, scrypt, and Argon2 are slow hashes that limit attempts to roughly 10,000 per second even on dedicated hardware. Knowing which hash your target service uses determines which crack-time estimate is relevant.
