Local password strength checker, entropy estimator and account hardening checklist
Type a password below. I’ll score it right here, in your browser. Nothing gets sent to me, ever. What you get back: an entropy estimate, a scan for the lazy patterns attackers reach for first, a side-by-side of how fast each kind of attack would chew through it. If yours is weak it’ll toss you some passphrase ideas too, plus a privacy-safe way to check it against breach databases. Honestly I built this mostly because I was tired of every other checker asking you to paste a live password into a box and just trust them.
Everything here happens locally. The password never touches PeopleAreGeek’s servers. And look, a password manager with a different password per site will do more for you than chasing a perfect number in this little box.
Password strength is about guessing resistance and account context
Most strength meters get one thing badly wrong. A password isn’t strong because you stuck a dollar sign in it. Attackers don’t sit there guessing blind. They throw leaked password dumps at you first, then dictionary words, then keyboard walks and birth years and the swaps everyone makes (a becomes @, o becomes 0), repeated runs, plus whatever you’ve already reused on five other sites. So a password that looks busy can still fall in seconds, if it’s short or built on something guessable. And the flip side: a long passphrase made of plain words you’ll actually remember is usually way harder to crack than some short string crammed with punctuation.
So I kept this tool local on purpose. It works out entropy from your character pool. Then it docks points for the patterns that actually get cracked, lines up how fast each attack model would grind through it, flags any personal words you told it to watch for. Every weak signal gets explained in plain language, and you walk away with a checklist to lock the account down. None of that touches a server. The breach-prefix button only ever computes the first five characters of the SHA-1 hash (the bit k-anonymity services use), so you can see how that lookup works without ever exposing the real password here.
How to interpret the score
Treat the score as a warning light, not a certificate. A real login page usually throttles guesses, so even a mediocre password buys you a bit of time there. But the second a database leaks and someone’s cracking hashes offline? That same password gets hammered millions of times a second. Context is everything. A password I’d happily slap on some forum I’ll forget by Tuesday is nowhere near good enough for email, or my hosting panel, or banking, or anything with the word admin in it. For those I want a password manager, a unique password per site, a second factor. No exceptions, and yeah I know that sounds preachy.
- Length is the one lever that almost never lets you down. Add characters before you do anything else.
- Uniqueness beats clever tricks. Swapping an a for an at-sign fools nobody who cracks passwords for a living.
- Context words (your company, your name, your city, your dog’s name) are the first thing a targeted guess tries. Leave them out.
- 2FA is your safety net for the day a password gets phished, or you reused it somewhere you forgot about.
- Password managers are what turn “unique password everywhere” from a nice idea you quietly abandon into something you actually do.
Common password debugging examples
A few things I run into constantly. It flags a year? Don’t just tack 2026 onto the end of a word. That’s about the most predictable move on earth. Catches a keyboard walk? Rip the whole pattern out, don’t bolt one symbol on the end and call it fixed. And when the crack-time swings wildly between attack models, plan for the fast one. Any account whose hashes might end up in a leak deserves to be judged by the worst case, not the friendly throttled number. Oh, and if your password contains a company name or a product name or the first half of your email, just assume an attacker already guessed it.
Common questions
Should I type my real password here?
Technically you’re fine. It all runs in your browser, nothing gets sent to this site. But I’ll be straight with you: I never paste a live password into any website, this one included. If you want the reading without the nagging worry, type something with the same shape (same length, same kind of mix) and you’ll learn just as much.
Are symbols required?
They help a little. But length and uniqueness do far more of the heavy lifting. Four random words strung together will outlast a short password sprinkled with punctuation, basically every time. Add a symbol if the site insists, fine. Just don’t kid yourself that the symbol is what’s protecting you.
Can a checker prove that a password is safe?
No. And don’t trust any tool that claims it can. This catches the obvious weaknesses, that’s the whole job. Whether your account is actually safe comes down to stuff a checker just can’t see. Has this password leaked before? Did you reuse it? Would you fall for a convincing phishing page on a bad day? Is your recovery email locked down, is 2FA on. The score is where that conversation starts, not where it ends.
What actually makes a password strong?
Length, first and foremost. Get to 12 characters at the bare minimum, and more for anything that matters. After that it comes down to unpredictability, and using a different one on every site. A long passphrase of unrelated words beats a short password bristling with symbols, pretty much always.
Is my password sent anywhere when I check it?
No. The whole calculation happens in your browser. I never see what you type, nothing leaves the page. Still, build the habit anyway: don’t paste a real, in-use password into any website’s box, this one included. Good muscle memory is worth more than my promise, frankly.
What is password entropy?
It’s a way to measure unpredictability, counted in bits. Here’s the part people miss: every single bit you add doubles the number of guesses an attacker has to make. So the jump from 50 to 60 bits is way bigger than the small-looking numbers suggest. Aim for 60-plus and you’re sitting pretty.
