Try it free: Use our Password Strength Checker to test any password instantly. 100% client-side — your password never leaves your browser.
Why Password Strength Matters
Weak passwords remain the #1 cause of data breaches. In 2025, over 80% of hacking-related breaches involved stolen or brute-forced credentials. With GPU-based cracking tools like Hashcat achieving billions of guesses per second, a weak 8-character password can be cracked in minutes.
Password strength isn't just about length — it's about entropy (randomness). A long password made of common words ("password123456") is weaker than a shorter random one ("k#9Lm!vQ2x"). Understanding how strength is calculated helps you make better security decisions.
How Password Strength Is Calculated
1. Character Set Size
The character set determines the pool of possible characters. More character types = larger pool = harder to crack.
| Character Type | Pool Size | Example |
|---|---|---|
| Lowercase only | 26 | abcdef |
| + Uppercase | 52 | AbCdEf |
| + Numbers | 62 | AbCd3f |
| + Special chars | 95 | Ab#d3! |
2. Entropy (Bits of Randomness)
Entropy is calculated as: log₂(charset_size ^ length). Each bit doubles the search space. Target minimums:
3. Pattern Detection
Raw entropy isn't enough. Good strength checkers also detect:
- ✕Dictionary words — "sunshine" has low effective entropy despite its length
- ✕Common patterns — sequential (abc, 123), keyboard walks (qwerty), repeated chars (aaa)
- ✕Leet speak — p@$$w0rd is barely stronger than "password"
- ✕Known breached passwords — passwords from data breach lists are tried first
Crack Time Estimates: How Long Would It Take?
Modern GPUs can test 10+ billion password hashes per second (MD5). For stronger algorithms like bcrypt, rates drop to ~100K/s. Here's how long different password strengths survive:
| Password | Entropy | Crack Time (MD5) | Crack Time (bcrypt) |
|---|---|---|---|
| password | ~1 bit | Instant | Instant |
| Summer2026! | ~28 bits | Seconds | Hours |
| k#9Lm!vQ2xPn | ~79 bits | Millennia | Heat death |
| correct-horse-battery-staple | ~44 bits | Years | Centuries |
Tips to Create Stronger Passwords
Use a password manager
Let tools like 1Password, Bitwarden, or KeePass generate and store truly random passwords. You only need to remember one master password.
Go long, not complex
A 20-character passphrase beats a 10-character 'complex' password. Length trumps complexity because each character multiplies the search space.
Never reuse passwords
If one service is breached, attackers try those credentials everywhere. Unique passwords for every account is non-negotiable.
Enable 2FA everywhere
Even a strong password can be phished. TOTP or hardware keys (YubiKey) add a second layer that can't be brute-forced.
Avoid personal info
Names, birthdays, pet names, and addresses are easy to guess from social media. Attackers build targeted dictionaries from your public data.
Use passphrases
Pick 4-6 random words (e.g., 'timber-clock-pebble-frost'). Easy to type, hard to crack, and you might actually remember it.
Password Strength Checker Tools Compared
Several free tools can test password strength. Here's how they compare:
| Tool | Client-Side | Entropy | Crack Time | Pattern Detection |
|---|---|---|---|---|
| Foglift | ✓ | ✓ | ✓ | ✓ |
| zxcvbn (Dropbox) | ✓ | ✓ | ✓ | ✓ |
| passwordmeter.com | ✓ | ✕ | ✕ | Partial |
| security.org | ✕ | ✕ | ✓ | ✕ |
Frequently Asked Questions
Is it safe to test my password in an online tool?
Only if the tool runs 100% client-side (in your browser). Foglift's password checker never sends your password to any server — all analysis happens in JavaScript on your device. Look for tools that explicitly state they're client-side and verify with browser dev tools.
How long should a strong password be?
At least 12-16 characters for random passwords, or 4-6 words for passphrases. Each additional character adds exponential difficulty. A 16-character random password with full character set has ~105 bits of entropy — effectively uncrackable.
What is password entropy?
Entropy measures randomness in bits. It's calculated as log₂(charset_size^length). A password with 80 bits of entropy has 2^80 possible combinations — about 1.2 × 10²⁴. At 10 billion guesses/second, that takes 38 million years to brute force.
Are passphrases better than passwords?
Yes, for most people. A 4-word Diceware passphrase (~44 bits) is easier to remember than a random 8-character password (~52 bits). For maximum security, use a password manager to generate 20+ character random strings.
Related Tools & Guides
Check your entire website's security
Our full website scan checks SSL, security headers, performance, SEO, and more — free.
Scan Your Website FreeTest Password Strength