Password Strength Analyzer

Analyze password strength and get security recommendations

Enter Password to Analyze

Very Weak

Entropy Analysis

Password Entropy
0
bits

Time to Crack Estimates

How long would it take to crack this password?

Password Analysis

Suggestions for Improvement

Password Generator

Generate strong random passwords

Generated Password:

Click "Generate Password" to create a strong password

Click the generated password to select and copy it

Help

What is Password Entropy?

Entropy measures the randomness and unpredictability of a password in bits. Higher entropy = stronger password.

Strength levels:

  • < 28 bits: Very Weak - Instantly crackable
  • 28-35 bits: Weak - Crackable in seconds
  • 36-59 bits: Moderate - Crackable in hours/days
  • 60-127 bits: Strong - Years to crack
  • 128+ bits: Very Strong - Centuries to crack

Calculation: Entropy = log₂(pool_size^length)

Length vs Complexity: Which is More Important?

Length wins! Each additional character multiplies the number of possibilities.

Example:

  • "aB3$xY9&" (8 chars, complex): ~50 bits entropy
  • "correcthorsebatterystaple" (25 chars, simple): ~77 bits entropy

Why? 26^25 > 94^8. The longer password is much stronger despite being less complex!

Recommendation: Aim for 12+ characters at minimum, 16+ for important accounts.

What are Common Password Weaknesses?

Avoid these common mistakes:

  • Dictionary words: "password", "football", "letmein"
  • Keyboard patterns: "qwerty", "123456", "asdfgh"
  • Repeating characters: "aaabbb", "112233"
  • Personal info: Names, birthdays, phone numbers
  • Common substitutions: "p@ssw0rd", "Pa$$word1"
  • Too short: Anything under 8 characters

These patterns are the first thing attackers try!

How Do Password Attacks Work?

Brute Force: Try every possible combination

  • Speed depends on hash algorithm and hardware
  • Online: ~1,000/second (rate limited)
  • Offline (MD5): ~100 billion/second (GPU)
  • Offline (bcrypt): ~100,000/second (designed to be slow)

Dictionary Attack: Try common words and passwords

  • Uses lists of millions of known passwords from breaches
  • Very effective because most people use common passwords

Hybrid Attack: Dictionary + variations

  • "password" → "Password1", "p@ssword", "password123"
  • Tries common substitutions and additions
What Makes a Strong Password?

Best practices:

  • 12+ characters (16+ for important accounts)
  • Mix character types (upper, lower, digits, symbols)
  • Unique per account (use password manager)
  • Random or passphrase approach
  • Enable 2FA when available

Two approaches:

  1. Passphrase: Multiple random words (e.g., "correct horse battery staple")
  2. Random: Completely random characters (e.g., "aB3$xY9&mK2#pL5%")
Should I Use a Password Manager?

Yes! Password managers are the best way to maintain strong, unique passwords.

Benefits:

  • Generate strong random passwords
  • Store unique password for every account
  • Autofill login forms
  • Sync across devices
  • Only remember one master password

Popular options: 1Password, Bitwarden, LastPass, Dashlane, KeePassXC

Master password: Make it very strong (20+ characters), use passphrase method, never reuse

What is Two-Factor Authentication (2FA)?

2FA requires two things to log in:

  1. Something you know (password)
  2. Something you have (phone, hardware key)

Types:

  • SMS codes: Convenient but least secure
  • Authenticator apps: More secure (Google Authenticator, Authy)
  • Hardware keys: Most secure (YubiKey, Titan)

Why important: Even if your password is compromised, attackers can't access your account without the second factor.

Best practice: Enable 2FA on all important accounts!