DOTFIXER

🛡️ Password Strength Checker

Test a password's entropy, strength rating, and estimated offline crack time — 100% in your browser, with nothing sent or stored. Get concrete tips to make it stronger.

🔒 Runs entirely in your browser. Your password is never sent over the network, logged, or stored — it only lives in this tab while you type. This is a general estimate, not a security guarantee.

🛡️ Strength:

Entropy
0 bits
Length
0
Alphabet size
0
Est. offline crack time

Crack time assumes a fast offline attack at 10 billion guesses/second (average case). It is a pure brute-force estimate — a real attacker cracks dictionary words and common patterns far faster, so a high score here is not a guarantee.

Why length beats complexity

Password strength grows exponentially with length. Because entropy is length × log2(alphabet), each character multiplies the number of possibilities — so a long passphrase of ordinary words can beat a short string of random symbols. Variety helps by widening the alphabet, but adding characters helps more.

This checker runs entirely in your browser and never transmits your password, so you can experiment safely. Use what you learn to build long, unique passwords, store them in a password manager, and enable two-factor authentication wherever it is offered.

❓ Frequently Asked Questions

Is my password sent anywhere?

No. These are general estimates, and the password checker runs entirely in your browser and never transmits your password — it is never sent over the network, logged, or stored anywhere. The calculation happens locally in this tab as you type, and the value is gone when you close the page. Even so, avoid pasting a password you actively use into any website.

How is password strength estimated?

It measures entropy in bits: entropy = length × log2(charset size), where the charset size is the sum of the character classes used — lowercase (26), uppercase (26), digits (10), and symbols (about 32). An 8-character all-lowercase password has 8 × log2(26) ≈ 37.6 bits; adding uppercase, digits, and symbols widens the alphabet and raises the entropy fast, but length is the biggest lever.

How is the crack time worked out?

It assumes a fast offline brute-force attack at 10 billion (10^10) guesses per second and takes the average case — half the total keyspace. Higher entropy means exponentially more combinations to try, which is why each extra character or character class dramatically increases the estimated time.

Does a 'strong' rating mean my password is safe?

Not on its own. This is a pure brute-force estimate and does not know that 'Password1' or 'Qwerty123' are common patterns a dictionary attack cracks almost instantly. Use a long, random, unique password for every account — ideally from a password manager — and turn on two-factor authentication. Treat the rating as a general estimate, not a guarantee.