Free Password Strength Checker

Type any candidate password and get an honest estimate of how long it would resist real attack tools. Powered by zxcvbn (Dropbox's open-source strength estimator), runs entirely in your browser, no logging.

Start your free vault Security model

Powered by zxcvbn

The industry-standard strength estimator. Detects dictionary words, keyboard patterns, dates, and common substitutions.

Honest crack-time estimates

Estimates for online attack (rate-limited), online unthrottled, offline slow hash, and offline fast hash scenarios.

Runs entirely in browser

No network call, no logging. The password you type never leaves your device.

Suggestions, not scolding

Tells you what makes a password weak and concrete steps to fix it — not just a vague red/yellow/green indicator.

Generator on the same page

Found your password's too weak? Generate a strong replacement and save to your vault in one click.

Why zxcvbn beats character-set math

Most strength meters multiply password length by character-set size and call anything over a threshold 'strong'. This is wrong: 'P@ssw0rd123!' scores great on naive math, but it's in every cracking dictionary and falls to a real attack in seconds.

zxcvbn estimates strength by simulating actual cracker behavior: dictionary lookup, leet-substitution unrolling, keyboard-pattern detection, year-and-date detection. The score reflects how an actual attacker would approach the password, not the theoretical entropy.

How to interpret the score

Score 0 (too weak): cracked in under a second, even by an online rate-limited attacker. Replace immediately.

Score 1–2 (weak): cracked in minutes to hours by an offline attacker. Acceptable only for throwaway accounts.

Score 3 (decent): resists most offline attack budgets. Fine for normal-value accounts.

Score 4 (strong): resists the most realistic offline attack budgets for the foreseeable future. Aim here for sensitive accounts; pair with TOTP for the most sensitive.

What to do with a weak password

Generate a replacement with PassCryp's password generator (20+ random characters, full symbol set). Save to vault. Rotate at the upstream site. Check breach monitoring to confirm the old password isn't already in HIBP — if it is, treat any account using it as exposed.

For master passwords specifically, use the generator's Passphrase mode: 5+ random words from the EFF long wordlist. Hits score 4 and stays memorable.

Frequently asked questions

Is the strength checker free?

Yes — no signup, no rate limits. Runs in your browser via zxcvbn.

Does the password I type get sent anywhere?

No. Strength estimation is entirely client-side. The password never touches the network.

What's zxcvbn?

An open-source password strength estimator originally built by Dropbox. Models actual cracker behavior instead of naive entropy math.

What score should I aim for?

Score 4 for sensitive accounts (email, banking, primary cloud). Score 3 acceptable for normal accounts. Always pair the most sensitive accounts with 2FA.

Can I check a password I'm already using?

Yes — but if it scores low, rotate it immediately. The checker is safe (no network), but a low-scoring password in production is a real risk.

Does PassCryp check breached passwords?

Yes — the vault checks stored passwords against Have I Been Pwned and alerts on matches. Strength + breach check together cover most password risks.

Ready to take control of your secrets?

Start a free zero-knowledge vault in under 60 seconds.

Start your free vault