What this password strength checker does

You wouldn’t hand a stranger the only key to your house, but a weak password does almost the same thing. This password strength checker shows, in seconds, whether the password you rely on every day is actually strong or quietly waiting to fail.

Most accounts that get taken over aren’t the result of sophisticated hacks. They get cracked because the password was short, predictable, reused, or already exposed in a previous data breach. Attackers don’t guess one password at a time anymore — they run lists of millions through automated tools and walk into whichever doors open.

The widget below scores your password against four checks that mirror how attackers actually work: length, character variety, pattern detection, and a private match against billions of leaked passwords from real breaches. Everything happens in your browser. The full password never leaves your device.

How to use it: type or paste a password into the box, choose whether to run the optional breach check, then press Check. You’ll get a score, a colour-coded verdict, a list of weaknesses to fix, and concrete next steps. Use it to vet new passwords before you set them, and to retire ones that no longer hold up.

How a password gets cracked in 2026

Most people picture password attacks as someone hunched over a keyboard trying options one at a time. The reality is industrial. When a website is breached, the attacker walks away with a database of password hashes, scrambled versions of every user’s password. They take that file home, point a graphics card at it, and try billions of guesses per second using rainbow tables, dictionary lists drawn from previous breaches, and rule-based mutations such as adding “1!” to the end of every dictionary word.

If your password has appeared in any public breach since 2009, it is already in those lists. Length, randomness, and uniqueness are what slow this process down. The U.S. National Institute of Standards and Technology, in NIST SP 800-63B Digital Identity Guidelines, recommends a minimum of 8 characters but explicitly favours length over complexity rules, because a long ordinary-looking phrase is harder to crack than a short string of symbols.

How this password strength checker scores you

The widget combines four signals: length, character variety, entropy, and pattern detection. Each contributes a documented number of points to a 0–100 score. A verdict band is then attached.

A score below 30 is Very Weak, likely guessed in seconds. 30–49 is Weak, minutes to hours under modern hardware. 50–69 is Fair, usable but not for accounts you care about. 70–89 is Strong, resistant to typical offline cracking. 90–100 is Excellent, long, varied, with no detectable patterns.

A flag such as “Repeated characters” or “Keyboard pattern” tells you which signal lost you points, so you know what to change. A breach hit overrides everything: a long, mathematically strong password that has already appeared in a public breach is no better than “password123” because attackers tried it first.

What to do next

1. Move to a passphrase. Pick four to six unrelated words such as “harbor velvet kettle moonlight rake”. This is effectively random to a guesser yet far easier to remember than a string of symbols, an approach championed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
2. Use a password manager. Tools such as Bitwarden, 1Password, or your browser’s built-in manager generate unique long passwords for every account so you never need to memorise them. Read more in our password manager guide.
3. Turn on multi-factor authentication. Even a stolen password becomes useless if a second factor is required. Start with email, banking, and any account that controls other accounts.
4. Replace any password that scored below 70 anywhere it has been reused. Reuse is what turns one breach into ten. The Federal Trade Commission’s consumer password guidance walks through this in plain language.
5. Stop rotating passwords on a schedule. Forced 90-day changes lead to predictable patterns (“Spring2026!” then “Summer2026!”). Change a password only when you have a reason: a breach, a suspicious login, a shared device.

Common pitfalls

Substituting numbers for letters (“p@ssw0rd”) barely helps; cracking tools have applied that rule since the 1990s. Adding a year, a season, or a favourite team to a base word does the same. Capitalising the first letter and ending with “!” is so common that wordlists include the variation by default. The fix is not a cleverer pattern; it is more length and more randomness, which is precisely what passphrases and password managers deliver.

Another trap is treating a password manager as risky because “they have all my passwords”. A reputable manager stores them encrypted with a master key only you know, and does not transmit that key. The realistic alternative — reusing a handful of passwords across dozens of accounts — fails far more often. See how to choose a password manager you can trust for practical criteria.

When the breach check matters most

The breach check uses the Have I Been Pwned k-anonymity API. Your password is hashed locally with SHA-1 and only the first five hexadecimal characters of the hash are sent. The server returns every full hash that begins with those five characters; your browser then searches that list for a match. The full hash and the original password never leave your device. If a match is found, treat the password as burned: change it everywhere it has been used and learn more about what to do after a credential leak.

Is it safe to type my real password into this checker?

Yes. The widget runs entirely in your browser using JavaScript. The full password is never sent anywhere. The optional breach check sends only the first five characters of a SHA-1 hash of your password, which is mathematically incapable of revealing the original on its own.

What does k-anonymity mean for the breach check?

K-anonymity means your password’s hash is grouped with hundreds of other hashes that share the same five-character prefix. The Have I Been Pwned server returns the entire group, and your browser does the matching locally, so the server never learns which one was yours.

My password scored Strong. Am I safe?

A strong score means the password resists offline cracking, but it does not protect you against phishing, credential reuse, or malware on your device. Pair every strong password with multi-factor authentication and never reuse it across accounts.

How long should a good password be?

Aim for at least 16 characters, ideally as a passphrase of four or more unrelated words. Length matters far more than special characters because each additional character multiplies the work an attacker has to do.

Should I change my password every few months?

Modern guidance from NIST recommends against scheduled rotation. Change a password when you suspect a breach, see suspicious activity, or learn it has appeared in a leak. Otherwise, a long unique password plus multi-factor authentication is more effective than constant rotation.

Why does the tool flag passwords that look complex?

Complexity is judged against attacker behaviour, not appearance. Strings such as “P@ssw0rd1!” look complex but are tested first by every cracking dictionary. The flag is telling you that real attackers would try this pattern within seconds.