How to check how strong a password really is
Most people judge a password by whether it satisfies a checklist: one capital letter, one digit, one symbol. That checklist says almost nothing about how hard the password is to crack. Real strength is about unpredictability, and you can measure it. The Password Strength Analyzer checks entropy, character variety, and estimated time to crack, and it does all of it in your browser. The password you type never leaves the page and is never sent to any server, which matters more here than for any other kind of tool.
Why most online password checkers are a bad idea
Think about what a typical "test your password" website asks you to do: type a real password, or something close to it, into a form on a site you found through a search engine. If that page sends your input to a server, even for a moment, you have handed a candidate password to an unknown party along with your IP address. Even a well-meaning site with sloppy logging can end up storing what you typed.
A checker that runs entirely locally avoids the problem. The analysis happens in JavaScript in your own browser tab; you can open the network panel in your developer tools and confirm that nothing is transmitted while you type. That is how the Password Strength Analyzer works, and it is the only honest way to build this kind of tool. If a password checker cannot make that guarantee, do not give it a real password.
Strength means entropy, not symbols
The useful measure of a password is its entropy: how many bits of unpredictability it contains, which is a way of counting how many guesses an attacker would need on average. A password drawn from a large space of equally likely possibilities has high entropy. A password that follows a common pattern has low entropy no matter how many symbols it contains. P@ssw0rd! passes every checklist and is still one of the first things any cracking tool tries, because the substitutions are as predictable as the word itself. The full arithmetic is covered in Password entropy explained; the short version is that each extra bit doubles the number of guesses required.
Length beats complexity
Entropy grows with the size of the search space, and the search space is the character set raised to the power of the length. Length is the exponent, so it wins. An 8 character password using the full 94 printable characters gives roughly 94^8 possibilities, about 52 bits. A passphrase of four common words chosen at random from a list of 7,776 gives about 51 bits from the word choice alone, and adding a fifth word takes it far past what any symbol shuffling can reach. The passphrase is also something you can actually remember. If you are choosing between a short complex string and a long simple one, choose long.
What crack-time estimates really tell you
The analyzer's "time to crack" figure is an estimate, not a promise. It assumes a particular attack: an offline attacker with your password's hash, guessing at some fixed speed, often billions of guesses per second against a fast hash. Change the assumptions and the number moves by orders of magnitude. A slow hashing algorithm like bcrypt cuts guess rates enormously; a rig of modern GPUs raises them. Treat the estimate as a way to compare passwords against each other, not as a countdown clock.
What a checker cannot see
Even a good local analyzer only sees the string in front of it. It cannot know that:
- you reuse the password on other sites, where one breach exposes all of them
- the password appears in a breach corpus or common wordlist attackers try first
- it is a keyboard pattern like
qazwsxor a date that is meaningful to you - your clever substitution,
3foreor$fors, is in every cracking ruleset
A strong entropy score on a reused password is a false comfort.
The practical checklist
The advice that actually holds up is short: use a password manager and let it generate long random passwords, prefer length over cleverness when you must memorize something, never reuse a password across sites, and turn on a second factor wherever it is offered. Then use the Password Strength Analyzer to sanity check anything you created yourself, knowing it stays on your machine. For the math behind the score, see Password entropy explained.