Is it safe to type my real password into this tool?

Yes — the analysis runs entirely in your browser via client-side JavaScript, and nothing is transmitted to any server. You can verify this by opening DevTools Network tab while typing (zero new requests) or by disconnecting from the internet and confirming the tool still works. That said, a prudent practice is to test passwords structurally similar to your real ones rather than the exact passwords themselves. The entropy score is identical for any password with the same length and character-class composition, and using a decoy eliminates residual risk from browser extensions or keyloggers you might not know about.

Why does my 'complex' password score poorly?

Usually because it matches a detectable pattern. Common culprits: a dictionary word with leetspeak substitutions (P@ssw0rd), a name or word followed by a year (Smith1985), a capitalized word with a trailing symbol (Dragon!), or a keyboard walk (1qaz@WSX). The tool subtracts 8 bits of entropy per detected pattern because pattern-based passwords fall to rule-based cracking attacks long before brute force becomes necessary. If this happens to a password you use, it's a good signal to replace it — attackers run the same pattern-based attacks the tool simulates.

How accurate are the crack-time estimates?

They're order-of-magnitude accurate, not precise. The three scenarios (100/sec online-throttled, 10K/sec online-unthrottled, 100B/sec offline-GPU) bracket realistic attacker speeds. Real-world crack times depend on the hashing algorithm the target system uses — bcrypt with a high work factor can slow offline attacks by 1,000× or more, while unsalted MD5 can be 10× faster than our estimate. The 100B/sec offline number is a conservative figure for fast hashes on 2026 consumer GPUs. Treat a result of 'millions of years' as 'safe for now,' not as a literal prediction.

Is a 16-character passphrase really stronger than an 8-character complex password?

Yes — dramatically. Entropy is length × log2(poolSize). A 16-character lowercase-only passphrase has 16 × log2(26) ≈ 75 bits. An 8-character password with all four character classes has 8 × log2(95) ≈ 53 bits. That's a difference of 22 bits, or about 4 million times harder to crack. The intuition goes against decades of 'complexity rules' password advice, but the math is unambiguous: length contributes exponentially, complexity only multiplies the pool size. Both NIST and most modern security guidance have moved to recommending length-first password policies.

Should I use the same password across low-risk sites to save effort?

No. Password reuse is the single largest cause of credential-stuffing attacks — an attacker who compromises one site can test your username and password on every other site you use, and if even one of those is your bank or email, the consequences are severe. The fix is a password manager. It generates unique random passwords per site, stores them encrypted behind one strong master password, and autofills them on login. The effort cost drops to near zero once it's set up, and your exposure to breach propagation drops to near zero as well.

Does multi-factor authentication (MFA) make password strength irrelevant?

No, but it changes the math. With MFA enabled, an attacker needs both the password and the second factor (a TOTP code, hardware key, or push notification). A Fair-tier password behind MFA is safer than an Excellent-tier password without it, because the attacker's cost to compromise a single account jumps from 'crack the hash' to 'crack the hash AND compromise a second device.' But passwords still matter because not every system supports MFA, some MFA methods can be phished or SIM-swapped, and credential stuffing still works against systems that only enforce MFA on flagged logins. Use MFA everywhere you can. Still use strong passwords everywhere else.

How to Check Password Strength: Entropy Guide

🔒

Try it now

Password Strength Checker

→