How to Check If Your Password Is Strong (Free)

Updated 2026-06-21

To check if your password is strong, paste it into a strength meter that scores it from 0 to 4 and estimates how long it would take to crack. A truly strong password earns a 4 (Strong) rating and survives an offline fast-hash attack for centuries, not seconds. The Password Strength Meter does this live as you type — and because it runs entirely in your browser, your password is never typed into a server, stored, or uploaded.

How to test a password in seconds

1. Open the Password Strength Meter.
2. Type or paste your password into the Password field. It is scored instantly, on every keystroke.
3. Use the Show password toggle if you want to verify you entered it correctly.
4. Read the five-segment meter and the score: 0 = Very weak, 1 = Weak, 2 = Fair, 3 = Good, 4 = Strong.
5. Check the crack-time estimates and read the suggestions to fix any weaknesses.

You are not sending anything anywhere — the entire analysis happens locally, so it is safe to test the passwords you actually use.

Why length and symbols are not enough

A common myth is that a password is strong if it has a capital letter, a number, and a symbol. The meter uses the zxcvbn estimator, which thinks like a real attacker instead. It catches:

• Dictionary words, even common names and brands
• Keyboard patterns like "qwerty" or "123456"
• Leetspeak substitutions such as "P@ssw0rd"
• Dates, years, and repeated characters like "aaa" or "abcabc"

This is why P@ssw0rd1 scores poorly despite hitting every "complexity rule" — it is a known word with predictable substitutions. Meanwhile a long random phrase of plain lowercase words can score a perfect 4. The tool also shows guesses (log₁₀), an order-of-magnitude figure for how many attempts an attacker would need.

Read the crack-time estimates

The same password is dangerous in one situation and fine in another, so the meter shows four scenarios:

• Offline · fast hash — a stolen password file cracked on a fast GPU at roughly 10 billion guesses per second. This is the worst case and the number that matters most.
• Offline · slow hash — a stolen file protected by a slow algorithm like bcrypt (about 10,000 guesses per second).
• Online · no throttle — guessing against a live login with no rate limiting (around 10 per second).
• Online · throttled — guessing against a rate-limited service (about 100 per hour), the best case.

Aim for a password that holds up under the offline fast-hash column, since that reflects what happens when a company's database leaks.

Make a weak password strong

If your score is below 4, follow the on-screen suggestions. The most reliable fix is length: a passphrase of four or more unrelated words is far harder to crack than a short string of mixed symbols, and much easier to remember. Avoid anything tied to you — names, birthdays, your username — because attackers try those first. Re-type your candidate and watch the meter climb to confirm the improvement.

Ready to see how your password really holds up? Test it now with the Password Strength Meter — free, instant, and 100% private.

Try the Password Strength Meter →