Loading tool

Loading tools

Password Strength Checker

8 weakness patterns, 4 attacker tiers, zxcvbn-style scoring.

Password

ScoreVery weak (0/4)

Length: 0Entropy: 0.0 bitsCharsets: none

Password text never sent. Strength analysis runs entirely in your browser.

Attacker tiers

Weakness patterns

Unlimited

Free uses per day

Browser

Runs in

What is the Password Strength Checker?

A password strength checker scores how hard your password is to crack. This one runs zxcvbn-style analysis: base entropy from character classes and length, minus penalties for dictionary words, leet substitution, sequences, repeats, dates, and common-list hits. The score maps to crack-time estimates at four real-world attacker tiers, from rate-limited login forms (100 guesses/sec) to nation-state ASIC farms (100 trillion/sec).

Most strength meters are too lenient (color-coded green for "p@ssw0rd!" because it has 4 character classes). This one models real cracking behavior: leet substitution gives almost no security, "password1" is one of the first 100 guesses, and length matters more than special characters. Everything runs in your browser. Your password never leaves the page.

How it works

Step 1

Type your password

Live scoring as you type. No submit button, no roundtrip.

Step 2

See the weaknesses

Each detected pattern explained: dictionary word, leet substitution, sequence, repeat, date, low diversity.

Step 3

See crack times

Four attacker tiers from online-throttled to offline-ASIC. Pick the one that matches your threat model.

Features

5-level scoring

Very weak / weak / fair / strong / very strong. Maps to entropy bits, not just length.

Dictionary detection

Catches common dictionary fragments (love, dragon, summer) embedded in your password.

Leet detection

Reverses 0→o, @→a, 3→e, 5→s and re-scores. P@ssw0rd is treated like password.

Sequence detection

Catches qwerty, asdfgh, 1qaz2wsx, abcdef, 12345 in any position or direction.

Date detection

Flags 4-digit years (1990-2099) and date formats. Birthdays are public information.

4-tier crack time

Online throttled, online fast, offline GPU, offline ASIC farm. Different threats, different conclusions.

Targeted suggestions

Each weakness gets a specific fix. 'Add length' if short, 'use passphrase' if dictionary, 'mix classes' if low diversity.

Browser only

Password text never sent. No API call, no server, no log. Works offline after first load.

Why this checker

Realistic, not lenient

Most checkers turn green at 8 chars + 1 digit. We score by entropy minus pattern penalties, like real crackers do. P@ssw0rd! still rates very weak.

4 attacker tiers

Same password is "10 hours" against an online form and "instantly" against a stolen hash + GPU. The threat model matters; we show all four.

Browser-only

Kaspersky's checker is fine but ships your password to their server for analysis. We don't even have a server endpoint. The math runs in your tab.

Targeted advice

Generic 'use a stronger password' is useless. We tell you exactly which pattern to fix, with examples.

Who uses it

Anyone with online accounts

Auditing the password you've been reusing for 5 years before changing it.

IT teams

Demoing why 'Company2024!' is weak to non-technical employees.

Security pros

Quick sanity-check during pen tests, training material, password policy reviews.

Students

Learning how entropy works, what dictionary attacks do, why length beats complexity.

Real use cases

You've been using 'Spring2020!' for years. Score: very weak. Cracked in under 5 minutes offline. Time to upgrade.
You're picking a master password for your password manager. Try variations until you hit very strong (4/4). For a manager, aim for 18+ random chars or a 5-word passphrase.
Your IT admin tells the company to 'add a special character' to passwords. You demo here that 'Password!' is still very weak -length and randomness matter, not arbitrary symbol requirements.
You're teaching a security class. Type 'P@55w0rd' live. Score: very weak. Tap leet detection. Class learns that substitution gives no real security.
You suspect a teammate's password is too short. Without asking for it, give them this URL. They check privately, see the score, and update on their own.
You're shopping for a wifi password. 12-char random > 8-char with symbols. Test variations to confirm.

Compared with other checkers

Feature	Molixa	Kaspersky	How Secure Is My Password	UIC
Realistic scoring (penalty-based)	Yes, 8 patterns	Lenient	Lenient	Charset only
4 attacker tiers	Yes	1 tier	1 tier	1 tier
Specific weakness explanation	Yes	Generic	Generic	Generic
Targeted suggestions	Per weakness	Generic	Generic	None
Free, no signup	Yes	Yes, ads	Yes, ads	Yes
Browser-only	Yes	Server-side	Server-side	Yes

Frequently asked questions

Is the password checker free?▾

Yes. Unlimited use, no signup, no daily cap. The whole analysis runs in your browser. Kaspersky's checker is free but ad-supported and ships your password to a server; we don't.

Is my password sent to a server?▾

No. The strength analysis is 100% browser-side. Your password text never leaves the page. We don't have an API call to send it anywhere even if we wanted to.

How is strength scored?▾

We compute base entropy from charset (lower / upper / digit / symbol) and length, then subtract penalties for weakness patterns (dictionary words, leet substitution, sequences, repeats, dates, common-list hits). Final score is 0-4 like zxcvbn, mapped to crack-time estimates at 4 attacker tiers.

What are the 4 attacker tiers?▾

Online (throttled, 100 guesses/sec, e.g. a login form with rate limiting), online (fast, 1M/sec, weak rate-limit), offline GPU (1T/sec, stolen hash + modern GPU), offline ASIC farm (100T/sec, nation-state hardware). Real-world attackers are usually tiers 2-3.

Why does 'P@ssw0rd' score weak?▾

Leet substitution (0 for o, @ for a) is reversed by every cracker in milliseconds. The underlying word 'password' is in the top-10 most-common list. Real entropy is the same as 'password' itself, which is none.

What's a passphrase?▾

Four to five unrelated random words like 'correct horse battery staple' (the famous xkcd example). Easy to remember, but the entropy comes from the word combinations, not the character set. 4 random words from a 7000-word list = ~52 bits, equivalent to ~9 random characters.

Is 12 characters enough?▾

Depends on what's at stake. For a throw-away forum: yes. For your bank: 14+ with full diversity (upper, lower, digit, symbol). For a master password: 18-20 random chars or a 5-word passphrase. Length is the single biggest factor.

Should I include digits and symbols?▾

Yes. Each character class doubles the search space per character. A 12-char lowercase password has 26^12 = 95B possibilities. Same length with all 4 classes has 95^12 = 5.4e23. That's 10 trillion times more search space.

Are common patterns really that bad?▾

Yes. Crackers try the top 10K passwords first, then dictionary attacks with leet substitution, then keyboard patterns (qwerty, 1qaz2wsx), then names + dates. If your password matches any of those patterns it's cracked in under a second offline.

Should I use a password manager?▾

Yes. 1Password, Bitwarden, KeePass generate 24-char random passwords with full character diversity. You only need to remember one strong master password. The convenience-vs-security trade-off favors managers for 99% of people.

Check your password now

8 weakness patterns, 4 attacker tiers, browser-only. Free unlimited.

Open the password checker

From the blog

Built and reviewed bySaqib Zahoor, WeboTech Studio

Last updated: May 14, 2026

The Password Strength Checker page is built, reviewed, and maintained by the Molixa team. We use the tool we ship and update the docs when the behavior changes.