How this password strength test works
The checker estimates entropy — the number of guesses an attacker would
need — from your password's length and character variety, then subtracts penalties for the
patterns cracking tools try first: common passwords, dictionary words with digits bolted
on, keyboard walks like qwerty, repeated characters, sequences like 1234, and year endings like 2026. The result is translated into
crack-time estimates for two realistic attack scenarios.
A score of Strong or better means the password would survive an offline attack against a stolen password database — the worst-case scenario, and the one that actually happens in big breaches.
Weak password? Fix it in 30 seconds
- Create a new one with our free password generator — 16+ random characters.
- Change it on the account (start with email and banking — email resets everything else).
- Save it in a password manager so you never have to remember it. If you reused the weak password elsewhere, change those too.
Stop memorizing passwords entirely
DroidPass stores unlimited passwords in an AES-256 encrypted vault with fingerprint unlock, includes a built-in 2FA authenticator, and works offline. Free to start.
Password strength FAQ
Is it safe to type my password into this checker?
The check runs 100% in your browser — the password is never sent, stored, or logged anywhere, and the page works even if you go offline after loading it. That said, the safest habit for your most critical passwords (banking, email) is to test a similar-shaped password rather than the real one.
What does the crack-time estimate mean?
It estimates how long a well-equipped attacker would need to guess your password. The "online attack" number assumes a rate-limited login form (about 10,000 guesses per second across a botnet); the "offline attack" number assumes the attacker stole a password database and runs about 10 billion guesses per second on GPUs. Real times vary — treat them as orders of magnitude, not promises.
Why is my password weak even though it has symbols?
Because attackers know the tricks. Cracking tools try words with @ for a, years bolted on the end, and keyboard walks before random combinations. Summer2026! falls almost immediately despite mixing cases, digits and a symbol. Length plus true randomness is what actually resists guessing.
What should I do if my password scores weak?
Generate a new random one with our free password generator (16+ characters), change it on the affected account, and store it in a password manager like DroidPass so you never need to memorize it. If you reused that weak password on other sites, change it there too.
Keep reading
Generate a strong random password →
Why you need a password manager in 2026 →
Add 2FA codes with the built-in authenticator →