Skip to content

Password Strength Checker

8 weakness patterns, 4 attacker tiers, zxcvbn-style scoring.

Share
ScoreVery weak (0/4)
Length: 0Entropy: 0.0 bitsCharsets: none
Password text never sent. Strength analysis runs entirely in your browser.
4
Attacker tiers
8
Weakness patterns
Unlimited
Free uses per day
Browser
Runs in

What is the Password Strength Checker?

A password strength checker scores how hard your password is to crack. This one runs zxcvbn-style analysis: base entropy from character classes and length, minus penalties for dictionary words, leet substitution, sequences, repeats, dates, and common-list hits. The score maps to crack-time estimates at four real-world attacker tiers, from rate-limited login forms (100 guesses/sec) to nation-state ASIC farms (100 trillion/sec).

Most strength meters are too lenient (color-coded green for "p@ssw0rd!" because it has 4 character classes). This one models real cracking behavior: leet substitution gives almost no security, "password1" is one of the first 100 guesses, and length matters more than special characters. Everything runs in your browser. Your password never leaves the page.

How it works

Step 1
Type your password
Live scoring as you type. No submit button, no roundtrip.
Step 2
See the weaknesses
Each detected pattern explained: dictionary word, leet substitution, sequence, repeat, date, low diversity.
Step 3
See crack times
Four attacker tiers from online-throttled to offline-ASIC. Pick the one that matches your threat model.

Features

5-level scoring
Very weak / weak / fair / strong / very strong. Maps to entropy bits, not just length.
Dictionary detection
Catches common dictionary fragments (love, dragon, summer) embedded in your password.
Leet detection
Reverses 0→o, @→a, 3→e, 5→s and re-scores. P@ssw0rd is treated like password.
Sequence detection
Catches qwerty, asdfgh, 1qaz2wsx, abcdef, 12345 in any position or direction.
Date detection
Flags 4-digit years (1990-2099) and date formats. Birthdays are public information.
4-tier crack time
Online throttled, online fast, offline GPU, offline ASIC farm. Different threats, different conclusions.
Targeted suggestions
Each weakness gets a specific fix. 'Add length' if short, 'use passphrase' if dictionary, 'mix classes' if low diversity.
Browser only
Password text never sent. No API call, no server, no log. Works offline after first load.

Why this checker

Realistic, not lenient

Most checkers turn green at 8 chars + 1 digit. We score by entropy minus pattern penalties, like real crackers do. P@ssw0rd! still rates very weak.

4 attacker tiers

Same password is "10 hours" against an online form and "instantly" against a stolen hash + GPU. The threat model matters; we show all four.

Browser-only

Kaspersky's checker is fine but ships your password to their server for analysis. We don't even have a server endpoint. The math runs in your tab.

Targeted advice

Generic 'use a stronger password' is useless. We tell you exactly which pattern to fix, with examples.

Who uses it

Anyone with online accounts
Auditing the password you've been reusing for 5 years before changing it.
IT teams
Demoing why 'Company2024!' is weak to non-technical employees.
Security pros
Quick sanity-check during pen tests, training material, password policy reviews.
Students
Learning how entropy works, what dictionary attacks do, why length beats complexity.

Real use cases

  • You've been using 'Spring2020!' for years. Score: very weak. Cracked in under 5 minutes offline. Time to upgrade.
  • You're picking a master password for your password manager. Try variations until you hit very strong (4/4). For a manager, aim for 18+ random chars or a 5-word passphrase.
  • Your IT admin tells the company to 'add a special character' to passwords. You demo here that 'Password!' is still very weak -length and randomness matter, not arbitrary symbol requirements.
  • You're teaching a security class. Type 'P@55w0rd' live. Score: very weak. Tap leet detection. Class learns that substitution gives no real security.
  • You suspect a teammate's password is too short. Without asking for it, give them this URL. They check privately, see the score, and update on their own.
  • You're shopping for a wifi password. 12-char random > 8-char with symbols. Test variations to confirm.

Compared with other checkers

FeatureMolixaKasperskyHow Secure Is My PasswordUIC
Realistic scoring (penalty-based)Yes, 8 patternsLenientLenientCharset only
4 attacker tiersYes1 tier1 tier1 tier
Specific weakness explanationYesGenericGenericGeneric
Targeted suggestionsPer weaknessGenericGenericNone
Free, no signupYesYes, adsYes, adsYes
Browser-onlyYesServer-sideServer-sideYes

Frequently asked questions

Is the password checker free?

Yes. Unlimited use, no signup, no daily cap. The whole analysis runs in your browser. Kaspersky's checker is free but ad-supported and ships your password to a server; we don't.

Is my password sent to a server?

No. The strength analysis is 100% browser-side. Your password text never leaves the page. We don't have an API call to send it anywhere even if we wanted to.

How is strength scored?

We compute base entropy from charset (lower / upper / digit / symbol) and length, then subtract penalties for weakness patterns (dictionary words, leet substitution, sequences, repeats, dates, common-list hits). Final score is 0-4 like zxcvbn, mapped to crack-time estimates at 4 attacker tiers.

What are the 4 attacker tiers?

Online (throttled, 100 guesses/sec, e.g. a login form with rate limiting), online (fast, 1M/sec, weak rate-limit), offline GPU (1T/sec, stolen hash + modern GPU), offline ASIC farm (100T/sec, nation-state hardware). Real-world attackers are usually tiers 2-3.

Why does 'P@ssw0rd' score weak?

Leet substitution (0 for o, @ for a) is reversed by every cracker in milliseconds. The underlying word 'password' is in the top-10 most-common list. Real entropy is the same as 'password' itself, which is none.

What's a passphrase?

Four to five unrelated random words like 'correct horse battery staple' (the famous xkcd example). Easy to remember, but the entropy comes from the word combinations, not the character set. 4 random words from a 7000-word list = ~52 bits, equivalent to ~9 random characters.

Is 12 characters enough?

Depends on what's at stake. For a throw-away forum: yes. For your bank: 14+ with full diversity (upper, lower, digit, symbol). For a master password: 18-20 random chars or a 5-word passphrase. Length is the single biggest factor.

Should I include digits and symbols?

Yes. Each character class doubles the search space per character. A 12-char lowercase password has 26^12 = 95B possibilities. Same length with all 4 classes has 95^12 = 5.4e23. That's 10 trillion times more search space.

Are common patterns really that bad?

Yes. Crackers try the top 10K passwords first, then dictionary attacks with leet substitution, then keyboard patterns (qwerty, 1qaz2wsx), then names + dates. If your password matches any of those patterns it's cracked in under a second offline.

Should I use a password manager?

Yes. 1Password, Bitwarden, KeePass generate 24-char random passwords with full character diversity. You only need to remember one strong master password. The convenience-vs-security trade-off favors managers for 99% of people.

Check your password now

8 weakness patterns, 4 attacker tiers, browser-only. Free unlimited.

Open the password checker
Built and reviewed bySaqib Zahoor, WeboTech Studio
Last updated:

The Password Strength Checker page is built, reviewed, and maintained by the Molixa team. We use the tool we ship and update the docs when the behavior changes.