RevealTheme logo

Password Strength Tester

Estimate a password's brute-force entropy from its length and the character classes it uses, and get a quick check against a short list of the most common passwords. Everything runs in your browser.

How to use this tool

  1. 1

    Type or paste a password into the input field.

  2. 2

    Read the rating (Very weak to Excellent) and the estimated entropy in bits shown below the field.

  3. 3

    Follow the specific suggestions, such as adding uppercase letters, numbers, or symbols, or increasing the length.

  4. 4

    Clear the field when you are done so the password does not stay on screen.

How does this tool estimate password strength?

This tester uses the classic brute-force entropy model: it counts how many character classes a password draws from and treats that as a single shared pool. Lowercase adds 26 to the pool, uppercase another 26, digits 10, and any non-alphanumeric symbol a flat 33. It then estimates entropy as length multiplied by log2 of the pool size, so a 12-character password using all four classes yields about 12 x log2(95), roughly 79 bits. The rating bands are entropy-based: under 36 bits is Very weak, 36 Weak, 60 Strong, 80 Very strong, and 100+ Excellent. Separately, it compares the lowercased input against a hard-coded list of ten extremely common passwords (password, 123456, qwerty, and so on) and flags an exact match. This naive model assumes every character is chosen randomly. It does not detect dictionary words, keyboard walks, l33t substitutions, dates, or repeats, so a memorable phrase like Summer2024! will score far higher here than a real attacker's cracking tools would justify. Treat the number as a rough upper bound, not a guarantee.

Common use cases

  • Quickly sanity-checking a password you just made up before using it on a new account.

  • Showing a teammate or family member why length and a symbol matter more than they expect.

  • Demonstrating in a security training session how entropy grows as you add character classes.

  • Confirming a password is not literally one of the ten most common passwords before saving it.

  • Comparing two candidate passphrases to see which character mix yields more estimated bits.

  • Teaching students the brute-force entropy formula by watching the bit count change as they type.

Frequently asked questions

Is my password sent anywhere?
No. Scoring happens entirely in your browser with JavaScript. The password is never uploaded, logged, or stored, and nothing leaves your device.
How is the entropy number calculated?
It is length multiplied by log2 of the character pool size. The pool is the sum of the classes you use: 26 for lowercase, 26 for uppercase, 10 for digits, and 33 for symbols, for a maximum of 95.
Why does my strong-looking password score low or high oddly?
The model only looks at length and character classes. It cannot see patterns, dictionary words, or substitutions, so predictable passwords are overrated and the bit count is an optimistic estimate.
Does this check against breached password databases?
No. It only compares against a hard-coded list of ten extremely common passwords. It does not query Have I Been Pwned or any breach corpus, so a unique-but-leaked password will not be flagged.
What entropy should I aim for?
These bands are this tool's own thresholds, not an official standard. As a rough guide, 60+ bits is reasonable for everyday accounts and 80+ for sensitive ones, but a long random passphrase from a password manager is better than chasing a number here.
Is the symbol pool size of 33 exact?
It is an approximation of printable ASCII punctuation. Any single non-alphanumeric character, even an accented letter or emoji, is treated as adding the same 33 to the pool regardless of how many distinct symbols you actually use.
Should I rely on this instead of a password manager?
No. Use it as a teaching aid or quick gut-check. For real security, generate long random passwords with a manager and enable two-factor authentication. For rigorous scoring, libraries like zxcvbn model patterns this tool ignores.

Related tools