About Password Strength Analyzer

Analyze password strength with entropy and crack-time estimates. Part of the DevTools Surf developer suite. Browse more tools in the Security / Crypto collection.

Use Cases

• Testing password policy enforcement before deploying to production
• Educating users about password strength through visual feedback
• Auditing existing password requirements against NIST guidelines
• Comparing passphrase vs random character password effectiveness

Tips

• Check entropy bits to understand mathematical password strength
• Review crack-time estimates for different attack scenarios
• Look for patterns like keyboard walks or common substitutions

Fun Facts

• The zxcvbn algorithm, created by Dan Wheeler at Dropbox in 2012, estimates password strength by modeling real-world attack patterns.
• The most common password worldwide in 2023 was still '123456,' used by over 4.5 million accounts according to NordPass research.
• A truly random 12-character password using all character types has approximately 79 bits of entropy, requiring centuries to brute-force.

FAQ

How is strength calculated?

Entropy analysis — character set × length. 12 chars from 95 printable ASCII: 79 bits. 16 chars same set: 105 bits. Plus zxcvbn-style pattern detection.

What's considered strong?

64+ bits resist casual brute-force. 80+ resist well-funded attackers. 128+ is the modern recommendation. 'Password1!' is ~20 bits — weak.

Does it check breach databases?

No — no API calls. For checking against breach lists use haveibeenpwned.com. This tool analyzes the password itself, not its history.

What about dictionary passwords?

Detected and flagged. Common passwords ('password', 'letmein', '123456') score near zero regardless of length. Substitutions (p@ssw0rd) are barely better.