A password strength checker tells you how hard it would be for an attacker to guess or crack your password. Understanding how these tools work helps you write better passwords — and build better checkers.
What makes a password strong?
Two things determine password strength: length and character set size. Together they determine how many possible combinations an attacker has to try.
| Factor | Weak | Strong |
|---|---|---|
| Length | 6–8 characters | 12+ characters |
| Characters | Only lowercase | Lowercase + uppercase + digits + symbols |
| Pattern | Dictionary word | Random or passphrase |
| Uniqueness | Reused across sites | Unique per account |
The single biggest improvement you can make is length. Adding four more characters beats switching from letters to symbols.
Password entropy
Entropy (measured in bits) is the standard way to quantify password strength:
entropy = log2(characterSetSize ^ length)
= length × log2(characterSetSize)
Character set sizes for common choices:
| Character set | Size |
|---|---|
| Digits only (0–9) | 10 |
| Lowercase letters (a–z) | 26 |
| Lowercase + uppercase | 52 |
| Lowercase + uppercase + digits | 62 |
| All printable ASCII (including symbols) | 95 |
Example: An 8-character lowercase password has 8 × log2(26) = 8 × 4.70 ≈ 37.6 bits. A 12-character mixed password reaches 12 × log2(95) ≈ 78.8 bits.
Rough strength thresholds:
| Bits | Verdict |
|---|---|
| < 28 | Very weak — cracked in seconds |
| 28–35 | Weak — minutes to hours |
| 36–59 | Fair — days to months |
| 60–127 | Strong — years on modern hardware |
| 128+ | Very strong — decades+ |
These thresholds assume offline cracking with GPU hardware. Online attacks (rate-limited) are far slower.
How strength checkers work
A naive checker just measures entropy. A smarter one also penalises:
- Dictionary words —
password,dragon,adminare tried first in any crack attempt. - Common passwords — the top 10 000 leaked passwords are in every hacker's wordlist.
- Keyboard patterns —
qwerty,123456,asdfghare trivially guessable. - Personal info — name, birth year, pet name drastically lower real-world entropy.
- Repeated characters —
aaa,111compress the search space.
The most popular open-source library, zxcvbn (by Dropbox), combines all of these into a 0–4 score. It runs pattern matching against dictionaries and keyboard adjacency graphs before estimating crack time.
Simple implementation
You can build a basic scorer without a full dictionary by checking character set, length, and a short list of common patterns.
JavaScript
function checkPasswordStrength(password) {
let score = 0;
const checks = {
length8: password.length >= 8,
length12: password.length >= 12,
lowercase: /[a-z]/.test(password),
uppercase: /[A-Z]/.test(password),
digit: /\d/.test(password),
symbol: /[^a-zA-Z0-9]/.test(password),
};
score += checks.length8 ? 1 : 0;
score += checks.length12 ? 1 : 0;
score += checks.lowercase ? 1 : 0;
score += checks.uppercase ? 1 : 0;
score += checks.digit ? 1 : 0;
score += checks.symbol ? 1 : 0;
const common = ['password','123456','qwerty','admin','letmein'];
if (common.includes(password.toLowerCase())) score = 0;
const labels = ['Very Weak','Weak','Fair','Good','Strong','Very Strong'];
return { score, label: labels[Math.min(score, 5)], checks };
}
console.log(checkPasswordStrength('P@ssw0rd12!'));
// { score: 6, label: 'Very Strong', checks: { ... } }
Python
import re
COMMON = {'password', '123456', 'qwerty', 'admin', 'letmein'}
LABELS = ['Very Weak', 'Weak', 'Fair', 'Good', 'Strong', 'Very Strong']
def check_password_strength(password: str) -> dict:
checks = {
'length8': len(password) >= 8,
'length12': len(password) >= 12,
'lowercase': bool(re.search(r'[a-z]', password)),
'uppercase': bool(re.search(r'[A-Z]', password)),
'digit': bool(re.search(r'\d', password)),
'symbol': bool(re.search(r'[^a-zA-Z0-9]', password)),
}
score = sum(checks.values())
if password.lower() in COMMON:
score = 0
return {'score': score, 'label': LABELS[min(score, 5)], 'checks': checks}
print(check_password_strength('P@ssw0rd12!'))
# {'score': 6, 'label': 'Very Strong', ...}
Go
import (
"regexp"
"strings"
)
var common = map[string]bool{
"password": true, "123456": true,
"qwerty": true, "admin": true, "letmein": true,
}
var labels = []string{"Very Weak", "Weak", "Fair", "Good", "Strong", "Very Strong"}
type Result struct {
Score int
Label string
}
func CheckPasswordStrength(password string) Result {
score := 0
if len(password) >= 8 { score++ }
if len(password) >= 12 { score++ }
if regexp.MustCompile(`[a-z]`).MatchString(password) { score++ }
if regexp.MustCompile(`[A-Z]`).MatchString(password) { score++ }
if regexp.MustCompile(`\d`).MatchString(password) { score++ }
if regexp.MustCompile(`[^a-zA-Z0-9]`).MatchString(password) { score++ }
if common[strings.ToLower(password)] { score = 0 }
if score > 5 { score = 5 }
return Result{Score: score, Label: labels[score]}
}
PHP
function checkPasswordStrength(string $password): array {
$common = ['password', '123456', 'qwerty', 'admin', 'letmein'];
$labels = ['Very Weak', 'Weak', 'Fair', 'Good', 'Strong', 'Very Strong'];
$score = 0;
$checks = [
'length8' => strlen($password) >= 8,
'length12' => strlen($password) >= 12,
'lowercase' => (bool) preg_match('/[a-z]/', $password),
'uppercase' => (bool) preg_match('/[A-Z]/', $password),
'digit' => (bool) preg_match('/\d/', $password),
'symbol' => (bool) preg_match('/[^a-zA-Z0-9]/', $password),
];
$score = array_sum($checks);
if (in_array(strtolower($password), $common)) $score = 0;
$score = min($score, 5);
return ['score' => $score, 'label' => $labels[$score], 'checks' => $checks];
}
Entropy calculator
If you want to compute entropy rather than a rule-based score:
function entropy(password) {
let charset = 0;
if (/[a-z]/.test(password)) charset += 26;
if (/[A-Z]/.test(password)) charset += 26;
if (/\d/.test(password)) charset += 10;
if (/[^a-zA-Z0-9]/.test(password)) charset += 33; // common symbols
return password.length * Math.log2(charset);
}
console.log(entropy('P@ssw0rd12!').toFixed(1)); // 65.4 bits → Strong
Practical rules for strong passwords
- Use 12+ characters minimum — length is the highest-leverage factor.
- Use a passphrase — four random words (
correct-horse-battery-staple) beat a short random string in both memorability and entropy. - Never reuse passwords — one data breach exposes every account sharing that password.
- Use a password manager — lets you have unique, random, 20-character passwords everywhere without memorising them.
- Enable two-factor authentication (2FA) — a strong password plus 2FA is far harder to compromise than either alone.
What checkers cannot detect
Rule-based checkers cannot tell whether your password appears in a breach database. For that, use services that check against billions of known-leaked passwords — they hash your input locally so the actual password is never transmitted.
FAQ
Is a longer password always better than a complex short one?
Yes, in almost all cases. correcthorsebatterystaple (25 characters, lowercase only) has ~117 bits of entropy. P@ss!1 (6 characters, all character types) has only ~37 bits.
Why does my company require I change my password every 90 days?
This is outdated advice. NIST guidelines (SP 800-63B, 2017) now recommend against mandatory periodic resets — they cause users to make predictable changes (password1 → password2). Change passwords only when compromise is suspected.
Can a password be too long? Practically, no. Most systems accept up to 64–128 characters. Longer is always stronger. A few legacy systems cap at 8 characters — that cap itself is a security risk.
What's the difference between a password and a passphrase? A passphrase is a sequence of words used as a password. It is often longer and easier to remember while still being high-entropy if the words are chosen randomly (e.g., from a wordlist via dice rolls — "diceware").
Does special character substitution (@ for a, 3 for e) help?
Slightly — attackers' tools apply common substitutions automatically (l33tspeak). A word with substitutions is still weaker than a random string of the same length. Length beats leetspeak.
Use the Password Strength Checker to test any password instantly and see exactly which criteria it passes or fails.