Password Strength + Crack-Time Estimate
Pure-frontend entropy estimate plus crack-time predictions across 5 attacker profiles (rate-limited online APIs → GPU-cracking MD5 offline). Detects weak patterns (all-same chars, all-digits, common passwords, keyboard runs). **Passwords never leave the browser.**
0 chars · 1 charset size
›How to use
- Type the password to score. Click 👁 on the right to reveal / hide.
- The strength bar and bits value update live (typical range 0-120+ bits).
- Weak-pattern warnings appear in amber for issues like all-same characters, all-digits, common sequences (
qwerty,123456…) and keyboard runs. - Below, the crack-time table shows estimates across 5 attacker profiles (online rate-limited → offline GPU MD5).
Tips
- Bits here is an extended-entropy heuristic, not real-randomness entropy — patterned passwords are intentionally under-scored. A mixed-case + digit + symbol + 12-char password easily hits 80+ bits.
- Crack time varies wildly by attacker — 60 bits is millions of years online, but only days against GPU MD5. Use bcrypt / argon2 server-side, never SHA.
- Length isn't enough — 32
as is trivial to crack despite the length, because dictionary attacks try repeats first. - vs zxcvbn: the industry gold-standard at 800KB+. Ours is the zero-dep lightweight (~1KB) for quick checks; use zxcvbn for production accuracy.
💡 The whole check runs locally in your browser — no network request carries your password anywhere. Even inspecting Network panel will show nothing about it.
Related tools
- JWT decoder / generatorDecode header / payload / expiry, re-sign with secret
- cURL ↔ fetch ↔ Python converterPaste a cURL command → emit fetch / Python requests / HTTPie
- CSS / XPath selector testerPaste HTML + selector → live highlight of matches
- Regex builder & live testerPattern + sample text → live highlight + capture groups