Password Strength Test: How Strong Is Your Password?

Type a password below to check how strong it is

Your password is checked entirely in your browser. Nothing is sent to any server.

This password strength test analyses your password entirely in your browser. Nothing is sent to any server, stored, or logged. Type any password above to instantly see how strong it is, how long it would take to crack, and what you can do to improve it.

1. What Makes a Password Strong?
2. How Long Should a Password Be?
3. How Long Does It Take to Crack a Password?
4. Most Common Passwords
5. Examples of Strong Passwords
6. Password Length vs Complexity
7. Is This Password Checker Safe to Use?
8. The Bottom Line

What Makes a Password Strong?

A strong password is one that would take an impractically long time for an attacker to guess, whether by brute force (trying every possible combination) or by using lists of common passwords. What makes a password strong comes down to two factors: length and unpredictability. This is exactly why passphrases (sequences of random words like sunset velvet crater unfold) have become the recommended approach: they are long by nature and easy to remember.

Length: every additional character multiplies the number of possible combinations exponentially. A 12-character password has billions of times more combinations than an 8-character one.
Character variety: using lowercase, uppercase, numbers, and special characters increases the “pool” an attacker needs to search through. However, this matters far less than length. A 25-character passphrase using only lowercase letters is vastly stronger than an 8-character password with every character type.
Unpredictability: the password should not be a single dictionary word, a name, a date, or follow an obvious pattern like abc123 or qwerty. Note that a passphrase uses multiple random words together, which is different from using a single dictionary word. The randomness of the combination is what provides the security.

Of these three, length is the most important by a significant margin. A long password made of only lowercase letters is far harder to crack than a short password with special characters. This is why security experts increasingly recommend passphrases (multiple random words) over traditional complex passwords.

How Long Should a Password Be?

The answer depends on how the password is used, but as a general guideline:

8 characters: the bare minimum accepted by most services. Not recommended for anything. Can be cracked in hours with modern hardware.
12 characters: better, but still within reach of modern cracking tools depending on the character mix. Not ideal for important accounts.
16+ characters: a solid starting point for important accounts like email, banking, and your password manager master password.
20+ characters (recommended): a passphrase of four or more random words easily reaches this length and is practically uncrackable by brute force. This is what you should aim for.

How many characters should a password be at minimum? Most cybersecurity organisations now recommend at least 12. The NIST Digital Identity Guidelines recommend a minimum of 8 characters but note that longer is always better. The easiest way to hit 20+ characters without effort is to use a passphrase. Four random words separated by spaces naturally land in the 20-30 character range, with no memorisation tricks needed.

How Long Does It Take to Crack a Password?

How long it takes to crack a password depends on its length, complexity, and how the target service stores it. The checker above estimates crack time assuming an attacker can try 10 billion guesses per second (a realistic rate for offline attacks against weakly hashed passwords using modern GPUs).

Here is a simplified password strength chart showing approximate crack times at that speed:

Password	Type	Time to Crack
`password`	Common password	Instantly
`Tr0ub4d!`	8 chars, mixed	About 2 hours
`MyD0g$Nam3`	10 chars, mixed	About 1 month
`Hk$9mPx2vL4!`	12 chars, random	About 200 years
`sunset velvet crater`	3-word passphrase	Millions of years
`sunset velvet crater unfold`	4-word passphrase	Billions of years
`Timber-Frost-Candle-River-42`	5-word passphrase	Longer than the age of the universe

Notice how a simple 3-word passphrase already outperforms a 12-character random password with special characters, while being far easier to remember.

The key takeaway: length matters far more than complexity. A 20-character passphrase made entirely of lowercase words is harder to crack than a 10-character password with every type of special character. You can test any of these examples in the checker above to see for yourself.

Most Common Passwords

Every year, security researchers publish lists of the most common passwords found in data breaches. Despite years of warnings, the same weak passwords appear repeatedly. According to breach data analysed by NordPass, the most common passwords consistently include:

123456
password
123456789
qwerty
abc123
111111
iloveyou
admin

If your password is on this list (or anything similar), it can be cracked instantly. Attackers always try these common passwords first. Run your password through the checker above. If it shows “Very Weak,” replace it with a passphrase from our passphrase generator. A four-word passphrase is infinitely stronger than any of the passwords above and takes seconds to create.

You can also check if your email has already appeared in a data breach where your password may have been exposed.

Examples of Strong Passwords

Here are examples of strong passwords and why they work. These are for illustration only. Never use an example password you found online. Notice how the passphrases are both stronger and easier to work with than the random character passwords.

Random character passwords (hard to remember):

kP$4mNx!9vR2qL (14 chars, mixed) – very high entropy, but difficult to type and impossible to memorise
Wy7#nBf3$kT8pQ! (15 chars, mixed) – slightly longer, equally unmemorable

Passphrases (recommended):

sunset velvet crater unfold (26 chars) – easy to remember, very hard to crack
Timber-Frost-Candle-River-42 (28 chars) – with capitalisation, separator, and number for sites that require mixed characters

Examples of weak passwords that people mistakenly think are strong:

P@ssw0rd – uses common substitutions (a to @, o to 0) that attackers already account for
Summer2024! – a dictionary word plus a year plus a symbol. Predictable pattern.
MyDogMax123 – personal information that could be found on social media

The difference between strong and weak is not about special characters. It is about randomness and length. Use our passphrase generator to create passwords that are both strong and memorable.

Password Length vs Complexity: Which Matters More?

For decades, the standard advice was to make passwords “complex”: use uppercase, lowercase, numbers, and symbols. This led to passwords like Tr0ub4d&3 which are hard for humans but surprisingly easy for computers.

Modern guidance from organisations like NIST has shifted: length is more important than complexity. Here is why:

An 8-character password using all character types has about 6 quadrillion combinations
A 20-character password using only lowercase letters has about 19 septillion combinations
That is roughly 3 billion times more combinations, despite using simpler characters

Complexity still helps, but only as a bonus on top of length. A short complex password will always lose to a long simple one. This is the core argument for passphrases: four random words give you 20+ characters with no effort, and they are far easier to type and remember than a jumble of symbols. If you take one thing away from this page, let it be this: switch to passphrases. You can generate one here.

Is This Password Checker Safe to Use?

Yes. This password strength test runs entirely in your browser using JavaScript. Your password never leaves your device. Nothing is transmitted to any server, nothing is stored, and nothing is logged.

You can verify this yourself: open your browser’s developer tools (F12), go to the Network tab, type a password into the checker, and confirm that no network requests are made. You can also disconnect from the internet after loading the page and the checker will continue to work.

As a general rule, are password checkers safe? Only if they run locally in your browser. Avoid any password checker that asks you to “submit” your password or requires creating an account. A legitimate password strength tester never needs to send your password anywhere.

The Bottom Line

The old approach to passwords (short, complex, impossible to remember) is outdated. A passphrase of four or more random words is longer, stronger, and easier to use. It is the approach recommended by NIST and security professionals worldwide.

Use the checker above to test your current passwords. If any of them score below “Strong,” consider replacing them with a passphrase from our passphrase generator. Store all your passwords in a password manager, enable multi-factor authentication on your most important accounts, and check if your email has been exposed in a data breach.

For more on password security, the NIST Digital Identity Guidelines provide the current industry standard recommendations.

Table of Contents