Password Strength Checker: How to Test Any Password (and Actually Understand the Score)

Published April 24, 2026 · SnapUtils Password Security

Most people use a password strength checker the wrong way: they type in a password, see a green bar or a "Strong" badge, and move on. That bar is not measuring what you think it is. The difference between a checker that tells you the truth and one that flatters you is the difference between an account that holds and one that gets cracked in an afternoon.

This guide focuses on what good password strength testing actually measures — zxcvbn scoring, entropy bits, crack time at multiple attack speeds, and the specific weakness patterns that checkers flag. If you already know you should use a strong password, this article tells you how to verify that yours actually is one.

Check Your Password Strength Now

The SnapUtils Password Strength Checker uses real-time zxcvbn analysis — the same library used by security teams at Dropbox and 1Password. Enter any password and get instant entropy, crack time at 4 speeds, and specific weakness callouts. Nothing leaves your browser.

Open Password Strength Checker →

Why Testing Password Strength Matters

The problem with most passwords is not that their owners are careless — it is that humans are systematically bad at generating randomness. When you invent a password, you draw from a much smaller pool than you think. You pick words you know, apply substitutions you have seen before, and append patterns you have used elsewhere. The result looks complex but is far more predictable than it appears.

A password strength test exists to catch this gap. It checks your password not against what it looks like to you, but against what an attacker with access to modern cracking tools sees. That context is entirely different. What feels creative to a human — S3cur!tyR0cks2026 — is a textbook example of dictionary-word-plus-substitutions-plus-year, the kind of pattern that Hashcat's rule engine cracks in minutes.

Testing also matters at scale. Security audits, IT teams provisioning accounts, and developers building authentication systems all need to check password quality systematically. The right tool gives objective scores, not subjective bars.

How Password Strength Checkers Actually Work

There are two generations of password strength checkers, and they work very differently.

The Old Approach: Pattern Matching Rules

The original generation of checkers checked boxes: does it contain a number? A capital letter? A symbol? Does it exceed eight characters? Each yes added points. This approach is why passwords like Password1! were rated "Strong" for years. They checked all the boxes while being trivially crackable — the word "password" with a capital, a number, and an exclamation mark is in every cracking wordlist.

Rule-based checkers do not model how attackers think. They award points for traits that are correlated with strength in random passwords but that humans exploit in predictable ways. They produce false confidence.

The Modern Approach: Pattern Estimation (zxcvbn)

The modern standard, introduced by Dropbox engineer Dan Wheeler and published as the open-source library zxcvbn, works by modeling how a cracker would approach the password. It does not check for the presence of character types — it tries to decompose the password into the most efficient combination of known patterns, wordlists, and keyboard sequences, then calculates how long exhaustive cracking would take given those patterns.

zxcvbn checks against:

When a password matches a known pattern, zxcvbn uses the entropy of the smallest-possible cracking path — not the theoretical maximum entropy — to score it. This is the correct approach: it models an attacker's perspective rather than the password's raw character count.

The zxcvbn Score: What 0–4 Actually Means

zxcvbn produces a score from 0 to 4. Here is exactly what each level means — including the estimated crack time threshold that triggers each score:

0
Too Weak
Cracks in under 1 second in any attack scenario. The password is in a common list, is a keyboard walk, a repeat, or is otherwise trivially guessable. Examples: password, 123456, qwerty, aaaaaa.
1
Weak
Cracks in seconds to a few hours under offline fast attack (billions of guesses/sec). Usually a common word with basic transformation — P@ssword!, Summer2025, abc123!. Satisfies most complexity requirements but is not safe.
2
Fair
Resists fast online attacks (cracks in days to months offline at slow hash speeds). Borderline acceptable for low-value accounts; not acceptable for anything important. Often a less-common word combination or a longer string with some structure.
3
Strong
Cracks in years to centuries at realistic offline speeds. Safe for general use with a password manager. Typically 12+ characters with genuine randomness or a 4-word passphrase with random word selection.
4
Very Strong
Cracks in centuries or longer at maximum attack speed. Appropriate for high-value accounts (email, banking, password manager master password). Typically 16+ random characters or a 6-word Diceware passphrase.

The critical insight: zxcvbn scores are conservative. A score of 2 is not "pretty good" — it means your password can be cracked offline under realistic conditions. Only scores of 3 and 4 are genuinely safe. Most well-intentioned human-chosen passwords land at 1 or 2.

Entropy in Bits: Reading the Number Correctly

Alongside the 0–4 score, good strength checkers display entropy in bits. This is a more precise measure: each bit represents a factor-of-2 increase in the number of guesses required. A 10-bit password requires up to 1,024 guesses. A 40-bit password requires up to 1 trillion guesses. A 60-bit password requires up to 1 quintillion guesses.

The key is that zxcvbn calculates effective entropy — how many bits of entropy the password provides given its actual crackability. A password like monkey123 might have 56 theoretical bits from its character pool, but its effective entropy under zxcvbn is roughly 8–12 bits because it is a known word plus a common numeric suffix.

Effective EntropyWhat It Meanszxcvbn Score
Under 28 bitsCracks instantly or in seconds0–1
28–35 bitsCracks in minutes to hours (offline)1–2
36–59 bitsCracks in days to months (slow hash)2–3
60–79 bitsCracks in decades to centuries3–4
80+ bitsComputationally infeasible4

When you run a password through a strength checker, the entropy number tells you the size of the search space an attacker must exhaust. The zxcvbn score tells you where that sits relative to practical attack thresholds. Both together give you the complete picture.

Crack Time Estimates: Four Attack Speeds Explained

A meaningful password strength checker reports crack time at multiple attack speeds, because the same password faces very different timelines depending on how the attacker is operating. The four standard attack scenarios are:

Attack ScenarioSpeedWhen This Applies
Online throttled~100 guesses/hourWeb login with rate limiting and lockouts — the most common scenario for consumer accounts
Online unthrottled~10 guesses/secondPoorly secured web login without rate limiting, or credential stuffing against misconfigured APIs
Offline slow hash~10,000 guesses/secondAttacker has a breached database using bcrypt, scrypt, or Argon2 — modern password hashing algorithms designed to be computationally expensive
Offline fast hash~10 billion guesses/secondAttacker has a breached database using MD5 or SHA-1 — fast hash algorithms, common in older and smaller services

The offline fast hash scenario is the one that should drive your strength decisions. Many breached databases use MD5 or SHA-1 — they are fast hash functions designed for performance, not security. When a service is breached, the attacker runs GPU cracking hardware against these hashes at tens of billions of attempts per second. If your password can be cracked in that scenario within any reasonable timeframe, it is not safe.

A password that takes 3 seconds to crack at offline-fast is not a password. A password that takes 10 years to crack at offline-slow but 2 days at offline-fast is also not safe — you have to pass the fast-hash test, not just the slow one. The SnapUtils checker reports all four thresholds so you can evaluate the worst-case scenario, not just the best case.

Common Weakness Callouts and How to Fix Them

When zxcvbn identifies structural weaknesses, a good checker surfaces them explicitly. Here are the most common callouts and what they mean in practice:

"Found in common password list"

The password or a close variant appears in a breach database or known-password compilation. This is an immediate disqualifier regardless of what the password looks like. Replace it entirely — do not modify it, because variants of known passwords are among the first things cracking rules generate.

"Dictionary word detected"

The password contains a natural-language word. Depending on context, this may or may not be a problem: a single dictionary word is catastrophic, while a six-word passphrase with random word selection is excellent. The callout matters most when the password is short (under 20 characters) and contains only one or two words with added symbols.

"Keyboard pattern detected"

Sequences that follow physical keyboard positions — qwerty, asdf, zxcv, diagonal walks like 1qaz or 2wsx, and full row traversals — are in every cracking wordlist. These patterns feel distinctive when typed but are completely catalogued.

"Repeated characters or sequences"

Strings like aaaaaa, ababab, 123123, or !!!!!!! dramatically reduce entropy. The checker identifies these and subtracts the corresponding bits. A long string of repeated characters can score 0 regardless of its apparent length.

"Date pattern detected"

Birthdates, anniversaries, and recent years embedded in a password — whether in DDMMYYYY, MMDDYY, or any other common date format — are identified and penalized. Dates are often personally meaningful, which means attackers targeting a specific individual try them first. Even in generic cracking attacks, date ranges are a small, fast-to-exhaust search space.

"Common substitutions applied"

Replacing a with @, e with 3, i with ! or 1, o with 0, or s with $ provides essentially no protection. These substitutions are applied automatically by cracking tools as transformation rules on every dictionary entry. P@$$w0rd is not a stronger version of Password — it is Password with documented transformations that cost an attacker milliseconds.

Passphrases vs. Random Strings: Which Tests Better?

One of the most useful applications of a strength checker is comparing generation strategies. The answer often surprises people: a short random string and a long passphrase can have similar effective entropy, but one is far easier to memorize.

Password TypeExampleEffective Entropyzxcvbn Score
8 random chars (all types)kR#9mLzP~52 bits3
12 random chars (all types)xK$7vBn!qZ2m~78 bits4
16 random chars (all types)pW4#rX8!mK2@vLqN~104 bits4
4-word passphraselamp river stone fold~51 bits3
6-word passphraselamp river stone fold crown dusk~77 bits4
Human-chosen "complex"S3cur!tyR0cks2026!~22 bits effective1–2

The last row is the one that matters most. A human-chosen password that feels sophisticated — mixed case, numbers, symbols, a year — scores 1 or 2 because zxcvbn correctly identifies it as a dictionary word plus predictable transformations plus a year suffix. It is far weaker than it looks.

The practical conclusion: for passwords you need to memorize, a 6-word Diceware passphrase with random word selection tests at score 4 and is memorable. For passwords stored in a manager, 16+ random characters is the gold standard. A password generator with passphrase mode handles both.

Test Your Current Passwords

Run your existing passwords through the SnapUtils checker before trusting them to protect anything important. Real-time zxcvbn scoring, entropy display, and crack time across all four attack scenarios — 100% client-side, nothing transmitted.

Check Password Strength →

Using the SnapUtils Password Strength Checker

The SnapUtils Password Strength Checker is built around the zxcvbn library and adds several layers on top of the raw score. Here is what each section of the tool shows:

Real-Time zxcvbn Scoring

The score (0–4) and strength label update on every keystroke. The tool does not wait for you to finish typing — the feedback is immediate. This lets you observe how adding characters, changing structure, or switching from a word-based to a random approach changes the score in real time.

Entropy Display

Effective entropy in bits, alongside the theoretical maximum entropy for the same character set. The gap between these two numbers tells you how much the checker is penalizing pattern-based structure. A 12-character password with a 40-bit effective entropy versus a 78-bit theoretical maximum means the password is behaving more like a 6-bit random string than a 12-character one — it is highly structured.

Crack Time at Four Attack Speeds

Displayed as human-readable estimates (seconds, minutes, hours, days, years, centuries) for each of the four attack scenarios described above. The offline fast hash column is the one to watch — that is the worst-case scenario after a breach of a service using unsecured hashing.

Weakness Callouts

Plain-language descriptions of what zxcvbn found: "Contains a common English word," "Keyboard pattern detected in characters 3–7," "Year pattern detected (2026)." These are actionable: they tell you specifically what to fix, not just that something is wrong. Fixing a flagged pattern and retesting shows exactly how much the change improved the score.

Improvement Suggestions

Concrete suggestions based on the specific weaknesses detected — add more random characters, use a passphrase instead of a word with substitutions, remove the year suffix, increase length. Combined with the weakness callouts, these provide a clear path to a passing score.

Built-In Generator

The checker is paired with a full password generator: adjustable length, character set toggles, passphrase mode with word count and separator options, and batch generation for creating multiple passwords at once. If your existing password tests poorly, you can generate a replacement directly and test it before using it. The standalone Password Generator is also available for dedicated generation workflows.

Privacy: 100% Client-Side

No passwords leave your browser. The zxcvbn analysis runs entirely in JavaScript on your device. There is no server-side processing, no logging, and no data transmission. You can run the tool while disconnected from the internet and it works identically. This is the only acceptable model for a password checker — any tool that submits passwords to a server should not be trusted.

Related tools: Once you know a password needs replacing, use the SnapUtils Password Generator to create a cryptographically strong replacement. For security-focused workflows, the Hash Generator lets you compute SHA-256 and other hashes for verification workflows. For encoding tasks, the Base64 Encoder/Decoder handles the most common encoding needs.

Frequently Asked Questions

Is it safe to enter my real password into a strength checker?

Only if the checker is 100% client-side. The SnapUtils checker runs entirely in your browser — nothing is sent to any server. If a checker submits passwords to a backend, do not use it for real passwords: you do not know what is logged. Always verify that a tool operates client-side before entering a password you actually use.

Why does my "strong" password score poorly on zxcvbn?

Because it likely contains a dictionary word, a keyboard pattern, a date, or predictable substitutions that reduce effective entropy far below the theoretical maximum. S3cur!ty2026! passes traditional complexity requirements but zxcvbn identifies it as "security" with l33t-speak substitutions plus a year. The attacker's cracking tools apply the same transformations automatically, so the effective search space is much smaller than the character count suggests.

What is the minimum entropy for a password to be considered safe?

At minimum 60 bits of effective entropy for general accounts, and 80+ bits for high-value accounts (email, password manager, banking). These thresholds correspond to zxcvbn scores of 3 and 4, respectively. Below 60 bits at offline fast hash speeds, a well-resourced attacker can crack the password within years — and years-to-decades is not the goal. At 80+ bits, you are in computationally infeasible territory for any currently known hardware.

Do password strength checkers account for salted hashing?

Not directly. The crack time estimates assume offline attack against a hashed database. Salted hashing (where a random value is added to each password before hashing) prevents precomputed rainbow table attacks, but it does not change the per-hash guessing rate. The offline-slow-hash scenario (10,000 guesses/second) models bcrypt/Argon2, which is computationally expensive by design. If a breached service used salted bcrypt, the slow-hash column is the relevant one; if they used MD5, the fast-hash column applies.

Does password length always increase the strength score?

Length increases the theoretical entropy, but zxcvbn scores effective entropy. Adding predictable characters — repeating the last character, appending !!!, adding a year — increases theoretical entropy minimally while barely moving effective entropy. Length helps most when the added characters are genuinely random or when they are additional random words in a passphrase. Adding !! to a score-2 password typically moves it to score 2 with slightly better numbers, not to score 4.

Can a passphrase really be stronger than a complex random string?

Yes — when the passphrase is long enough. A 6-word passphrase with randomly selected words from a 7,776-word list has approximately 77.5 bits of effective entropy, comparable to a 12-character fully-random string. The advantage of a passphrase is memorability: you can store your password manager's master password in your head without writing it down. For everything else stored in the manager, a 16+ character random string is ideal because memorability is irrelevant — the manager handles it.

What makes a password strength test better than a simple bar?

Specificity and accuracy. A color bar awards points for character types without modeling attacker behavior. A proper strength test using zxcvbn decomposes the password into its most crackable components and scores based on the actual search space an attacker faces. The difference is measurable: bar-based checkers consistently rate human-chosen passwords too high, while zxcvbn reliably identifies the structural weaknesses that make passwords crackable despite their apparent complexity.

Related Articles and Tools

🔐

All password analysis runs entirely in your browser. No passwords are transmitted to any server. The zxcvbn library and all calculations execute locally. Crack time estimates are approximations based on known hardware benchmarks and may not reflect future advances. Use a dedicated password manager for credential storage.