Beyond “Must contain one uppercase letter”
Most password policies are theater. “8 characters, one uppercase, one number, one symbol” sounds strict but allows Password1! — which shows up in every leaked password list ever compiled. A real strength check goes deeper than character class checkboxes.
This tool scores passwords 0-100 by analyzing length, character diversity, sequential patterns (abc, 123), repeated characters (aaa), keyboard patterns (qwerty), and matches against common password lists. It estimates how long a brute-force attack at 10 billion guesses per second would take, and tells you specifically why your password is strong or weak.
Everything runs in your browser. Your password never touches a network connection.
What the Score Catches
Sequential patterns. abc, 123, xyz — attackers’ rule-based tools try these first. The checker flags them.
Keyboard walks. qwerty, asdfgh, zxcvbn — these aren’t random just because they look random. They follow your keyboard layout, and attackers know that.
Common passwords. The tool checks against a list of the most commonly used passwords. If yours matches, it gets flagged immediately. Monkey123! technically has uppercase, lowercase, numbers, and a symbol. It’s still terrible.
Repeated characters. aaaa or 1111 in your password? That’s low-entropy padding that barely helps.
Short length. An 8-character password with all four character types? About 52 bits of entropy. A 16-character password with just lowercase? About 75 bits. Length wins.
Testing Password Policies
If you manage a system with password requirements, test what your minimum policy actually allows. Enter passwords that technically meet the requirements and see how they score. You might find that your “must contain uppercase, lowercase, number, and symbol” policy happily accepts Welcome1! — which any attacker’s dictionary handles in under a second.
Push for length-based policies (16+ character minimum) over complexity-based ones. The math is overwhelmingly on your side: entropy scales linearly with length but only logarithmically with character set size.
Honest Limitations
The crack time estimate assumes pure brute force. Real attackers are smarter. They use dictionary attacks, rules-based mutations, and passwords leaked from other breaches. A password that scores “Strong” against brute force might fall instantly to a dictionary attack if it’s a modified common word.
No automated tool can fully replicate what a real attacker does. This gives you a solid baseline, not an absolute guarantee.
If your password scores poorly, the Password Generator creates strong random strings and the Passphrase Generator creates memorable word-based alternatives. Both are on Toolsvu.
Your password never leaves your browser. That’s non-negotiable for a tool like this.