Password Strength Checker & Generator

Password strength is measured using the zxcvbn algorithm — the same library used by Dropbox and other security-conscious companies. It scores passwords 0–4 by estimating how many guesses an attacker would need, accounting for dictionary words, common patterns, dates, names, keyboard sequences, and l33t-speak substitutions. Pure entropy (bits) is also calculated from the number of possible guesses: entropy = log₂(guesses). Higher entropy = harder to crack.

For general accounts, aim for 60+ bits of entropy (zxcvbn score 3 or higher). For sensitive accounts like banking or email, target 80+ bits (score 4). A random 16-character password using all character types achieves ~105 bits. Passphrases of 4+ random words also reach 60+ bits and are easier to remember.

Time to crack estimates how long a brute-force attack would take at different speeds. Online throttled (100 guesses/hour) represents a protected login page. Online fast (10/second) represents an unprotected API. Offline slow hash (10,000/second) represents bcrypt-hashed passwords. Offline fast hash (10 billion/second) represents weak MD5-hashed passwords. If your password can be cracked in seconds offline fast, it is dangerously weak.

No. Everything runs entirely in your browser using JavaScript. No passwords, inputs, or results are ever transmitted to any server. The zxcvbn analysis library runs locally in your browser, and password generation uses the Web Cryptography API's crypto.getRandomValues() — the same cryptographic randomness used by operating systems.

A passphrase is a sequence of random words (e.g., maple-tiger-orbit-sun) that is long, memorable, and statistically strong. Four random words from a 2,000-word list give approximately 44 bits of entropy. Six words reach ~66 bits — comparable to a 12-character random password. Passphrases are especially useful when you need something you can type or remember without a password manager.

At minimum 12 characters for general accounts; 16+ for anything sensitive. Length is the single most effective lever — each additional character multiplies possible combinations by the character set size. A 20-character random password with all character types (uppercase + lowercase + numbers + symbols ≈ 94 chars) has ~131 bits of entropy and is practically uncrackable by brute force.

Batch mode generates multiple passwords at once (10, 25, 50, or 100) using the same settings. Results can be copied to clipboard or exported as a CSV file — useful for provisioning temporary accounts, generating test credentials, or creating a password sheet. All generation uses crypto.getRandomValues() and happens entirely in your browser.