Password Strength Checker

Diagnosing a Password You Already Have

1. Paste or type the password into the input box. Strength analysis runs on every keystroke; there is no "analyze" button to click.
2. Read the colored strength bar. It ranges from red (Very Weak) through orange, yellow, light green, to deep green (Very Strong). The label corresponds to a numeric score, not a marketing adjective.
3. Scan the checklist underneath. Each item is a specific signal the checker found, positive or negative: "12+ characters", "Numbers only (very predictable)", "Sequential characters detected", "This is a commonly used password".
4. Watch the entropy readout. It shows Shannon entropy in bits, based on the pool size inferred from which character classes appeared in the input.
5. Fix the specific issues the checklist flags, then re-type the fixed version. Do not iterate by adding a single "!" - the tool scores "Password1!" almost identically to "Password1".

What the Scoring Actually Inspects

The checker runs four regex tests for character classes: /[a-z]/, /[A-Z]/, /\\d/, /[^a-zA-Z0-9]/. It layers length tiers at 8, 12, and 16 characters and subtracts points for sequential prefixes (012, abc, etc.), repeated-character runs (/(.)\\1{2,}/), and a blocklist of 25 breach passwords (password, 123456, qwerty, iloveyou, letmein, dragon). Entropy is length * log2(poolSize). This structural approach is faster than zxcvbn (microseconds, no 600KB wordlist) at the cost of missing patterns like "Tr0ub4dor&3". All analysis happens synchronously in the input handler; no fetch, no debounce, no server round-trip.

When You Need a Diagnostic, Not a Generator

• Auditing an inherited password policy at a new job - paste the example passwords your team shares in documentation to see which ones are objectively weak.
• Coaching a non-technical family member who keeps using their pet's name and a year, showing them live why that scores badly.
• Validating that a password you memorized years ago is still safe to keep using on low-stakes accounts, or whether to retire it to the vault.
• Testing whether a passphrase you built from memorable words (four-word Diceware style) actually reaches the strong band despite having no symbols.
• Demonstrating to a product manager why the "password must contain one special character" rule does not materially help, by showing equal-entropy examples with and without symbols.
• Checking a password generated elsewhere (a vault migration export, a colleague\'s suggestion) for obvious red flags before adopting it.

Where Structural Checkers Get It Wrong

Any local strength checker has blind spots. This one will rate correcthorsebatterystaple (the famous xkcd passphrase, roughly 44 bits of real entropy from a four-word Diceware-style selection) as merely "fair" because it is lowercase-only and has no symbols, even though it resists offline cracking better than P@ssw0rd! which the tool correctly flags as weak. Leet-speak substitutions that fool regexes pass the variety tests but are trivially expanded by hashcat\'s rule engine. The checker also cannot know your password has already leaked; the Have I Been Pwned (HIBP) range API would need a network call. If your password is on the HIBP list, it is weak regardless of structure - the RockYou 2012 leak alone contains 32 million real passwords that hashcat can test against a stolen hash at hundreds of millions of attempts per second. Unicode homoglyphs, keyboard walks (qwertyuiop), and theme-based patterns (ilovemoney2024) are scored only weakly negative. The tool is a screen, not a proof.

What "Strong" Actually Means in Bits

The strength bar maps to Shannon entropy thresholds from NIST SP 800-63B guidance. Below 28 bits is trivially crackable (seconds on a single GPU), 28-45 is weak (minutes to hours), 45-60 fair (days to weeks), 60-80 strong (years for a well-funded attacker), 80+ very strong. These assume slow hashing (bcrypt, Argon2); with unsalted SHA-1 like LinkedIn 2012, every band shifts down 15-20 bits because GPUs test billions of hashes per second. The HIBP database (14+ billion compromised credentials) is the backstop: 80 bits of entropy that happens to appear in HIBP has zero effective entropy against an attacker who has the wordlist.

How This Compares to zxcvbn and Have I Been Pwned

zxcvbn, Dropbox\'s strength estimator, is the gold standard for structural checking. It tokenizes the password, looks up tokens in dictionaries, models L33t substitutions, detects keyboard patterns, and estimates guesses-to-crack. It is more accurate but ships a 700KB bundle. Haveibeenpwned.com\'s range API is the complementary check: send the first 5 hex chars of your password\'s SHA-1, receive matching full hashes, check locally. Together zxcvbn plus HIBP range query is the strongest combo in 2026. This tool is the lightweight middle ground: no network, no wordlist download, instant feedback, catches the obvious problems. For a site login form, pair it with server-side HIBP; for teaching why a password is bad, this is usually enough.