Toolmingo
Guides6 min read

Password Strength Checker: How Strong Is Your Password?

Learn what makes a password strong, how entropy is calculated, how strength checkers score passwords, and how to implement one in JavaScript, Python, Go, and PHP.

A password strength checker tells you how hard it would be for an attacker to guess or crack your password. Understanding how these tools work helps you write better passwords — and build better checkers.

What makes a password strong?

Two things determine password strength: length and character set size. Together they determine how many possible combinations an attacker has to try.

Factor Weak Strong
Length 6–8 characters 12+ characters
Characters Only lowercase Lowercase + uppercase + digits + symbols
Pattern Dictionary word Random or passphrase
Uniqueness Reused across sites Unique per account

The single biggest improvement you can make is length. Adding four more characters beats switching from letters to symbols.

Password entropy

Entropy (measured in bits) is the standard way to quantify password strength:

entropy = log2(characterSetSize ^ length)
         = length × log2(characterSetSize)

Character set sizes for common choices:

Character set Size
Digits only (0–9) 10
Lowercase letters (a–z) 26
Lowercase + uppercase 52
Lowercase + uppercase + digits 62
All printable ASCII (including symbols) 95

Example: An 8-character lowercase password has 8 × log2(26) = 8 × 4.70 ≈ 37.6 bits. A 12-character mixed password reaches 12 × log2(95) ≈ 78.8 bits.

Rough strength thresholds:

Bits Verdict
< 28 Very weak — cracked in seconds
28–35 Weak — minutes to hours
36–59 Fair — days to months
60–127 Strong — years on modern hardware
128+ Very strong — decades+

These thresholds assume offline cracking with GPU hardware. Online attacks (rate-limited) are far slower.

How strength checkers work

A naive checker just measures entropy. A smarter one also penalises:

  1. Dictionary wordspassword, dragon, admin are tried first in any crack attempt.
  2. Common passwords — the top 10 000 leaked passwords are in every hacker's wordlist.
  3. Keyboard patternsqwerty, 123456, asdfgh are trivially guessable.
  4. Personal info — name, birth year, pet name drastically lower real-world entropy.
  5. Repeated charactersaaa, 111 compress the search space.

The most popular open-source library, zxcvbn (by Dropbox), combines all of these into a 0–4 score. It runs pattern matching against dictionaries and keyboard adjacency graphs before estimating crack time.

Simple implementation

You can build a basic scorer without a full dictionary by checking character set, length, and a short list of common patterns.

JavaScript

function checkPasswordStrength(password) {
  let score = 0;
  const checks = {
    length8:    password.length >= 8,
    length12:   password.length >= 12,
    lowercase:  /[a-z]/.test(password),
    uppercase:  /[A-Z]/.test(password),
    digit:      /\d/.test(password),
    symbol:     /[^a-zA-Z0-9]/.test(password),
  };

  score += checks.length8   ? 1 : 0;
  score += checks.length12  ? 1 : 0;
  score += checks.lowercase ? 1 : 0;
  score += checks.uppercase ? 1 : 0;
  score += checks.digit     ? 1 : 0;
  score += checks.symbol    ? 1 : 0;

  const common = ['password','123456','qwerty','admin','letmein'];
  if (common.includes(password.toLowerCase())) score = 0;

  const labels = ['Very Weak','Weak','Fair','Good','Strong','Very Strong'];
  return { score, label: labels[Math.min(score, 5)], checks };
}

console.log(checkPasswordStrength('P@ssw0rd12!'));
// { score: 6, label: 'Very Strong', checks: { ... } }

Python

import re

COMMON = {'password', '123456', 'qwerty', 'admin', 'letmein'}
LABELS = ['Very Weak', 'Weak', 'Fair', 'Good', 'Strong', 'Very Strong']

def check_password_strength(password: str) -> dict:
    checks = {
        'length8':   len(password) >= 8,
        'length12':  len(password) >= 12,
        'lowercase': bool(re.search(r'[a-z]', password)),
        'uppercase': bool(re.search(r'[A-Z]', password)),
        'digit':     bool(re.search(r'\d', password)),
        'symbol':    bool(re.search(r'[^a-zA-Z0-9]', password)),
    }
    score = sum(checks.values())
    if password.lower() in COMMON:
        score = 0
    return {'score': score, 'label': LABELS[min(score, 5)], 'checks': checks}

print(check_password_strength('P@ssw0rd12!'))
# {'score': 6, 'label': 'Very Strong', ...}

Go

import (
    "regexp"
    "strings"
)

var common = map[string]bool{
    "password": true, "123456": true,
    "qwerty": true, "admin": true, "letmein": true,
}
var labels = []string{"Very Weak", "Weak", "Fair", "Good", "Strong", "Very Strong"}

type Result struct {
    Score int
    Label string
}

func CheckPasswordStrength(password string) Result {
    score := 0
    if len(password) >= 8  { score++ }
    if len(password) >= 12 { score++ }
    if regexp.MustCompile(`[a-z]`).MatchString(password) { score++ }
    if regexp.MustCompile(`[A-Z]`).MatchString(password) { score++ }
    if regexp.MustCompile(`\d`).MatchString(password)    { score++ }
    if regexp.MustCompile(`[^a-zA-Z0-9]`).MatchString(password) { score++ }
    if common[strings.ToLower(password)] { score = 0 }
    if score > 5 { score = 5 }
    return Result{Score: score, Label: labels[score]}
}

PHP

function checkPasswordStrength(string $password): array {
    $common = ['password', '123456', 'qwerty', 'admin', 'letmein'];
    $labels = ['Very Weak', 'Weak', 'Fair', 'Good', 'Strong', 'Very Strong'];

    $score = 0;
    $checks = [
        'length8'   => strlen($password) >= 8,
        'length12'  => strlen($password) >= 12,
        'lowercase' => (bool) preg_match('/[a-z]/', $password),
        'uppercase' => (bool) preg_match('/[A-Z]/', $password),
        'digit'     => (bool) preg_match('/\d/', $password),
        'symbol'    => (bool) preg_match('/[^a-zA-Z0-9]/', $password),
    ];
    $score = array_sum($checks);
    if (in_array(strtolower($password), $common)) $score = 0;
    $score = min($score, 5);

    return ['score' => $score, 'label' => $labels[$score], 'checks' => $checks];
}

Entropy calculator

If you want to compute entropy rather than a rule-based score:

function entropy(password) {
  let charset = 0;
  if (/[a-z]/.test(password)) charset += 26;
  if (/[A-Z]/.test(password)) charset += 26;
  if (/\d/.test(password))    charset += 10;
  if (/[^a-zA-Z0-9]/.test(password)) charset += 33; // common symbols
  return password.length * Math.log2(charset);
}

console.log(entropy('P@ssw0rd12!').toFixed(1)); // 65.4 bits → Strong

Practical rules for strong passwords

  1. Use 12+ characters minimum — length is the highest-leverage factor.
  2. Use a passphrase — four random words (correct-horse-battery-staple) beat a short random string in both memorability and entropy.
  3. Never reuse passwords — one data breach exposes every account sharing that password.
  4. Use a password manager — lets you have unique, random, 20-character passwords everywhere without memorising them.
  5. Enable two-factor authentication (2FA) — a strong password plus 2FA is far harder to compromise than either alone.

What checkers cannot detect

Rule-based checkers cannot tell whether your password appears in a breach database. For that, use services that check against billions of known-leaked passwords — they hash your input locally so the actual password is never transmitted.

FAQ

Is a longer password always better than a complex short one? Yes, in almost all cases. correcthorsebatterystaple (25 characters, lowercase only) has ~117 bits of entropy. P@ss!1 (6 characters, all character types) has only ~37 bits.

Why does my company require I change my password every 90 days? This is outdated advice. NIST guidelines (SP 800-63B, 2017) now recommend against mandatory periodic resets — they cause users to make predictable changes (password1password2). Change passwords only when compromise is suspected.

Can a password be too long? Practically, no. Most systems accept up to 64–128 characters. Longer is always stronger. A few legacy systems cap at 8 characters — that cap itself is a security risk.

What's the difference between a password and a passphrase? A passphrase is a sequence of words used as a password. It is often longer and easier to remember while still being high-entropy if the words are chosen randomly (e.g., from a wordlist via dice rolls — "diceware").

Does special character substitution (@ for a, 3 for e) help? Slightly — attackers' tools apply common substitutions automatically (l33tspeak). A word with substitutions is still weaker than a random string of the same length. Length beats leetspeak.


Use the Password Strength Checker to test any password instantly and see exactly which criteria it passes or fails.

Related tools

Keep reading

All Toolmingotools are free & run in your browser

No sign-up, no upload, no watermark. Your files never leave your device.

Browse all tools