Strict password strength & breach check

Check if a password is weak, appears in known breaches, and how long an offline attack might take to crack it.

Password checker

We combine zxcvbn scoring with Have I Been Pwned breach checks for realistic results.

Password

⏱️ Crack time: — Estimated breach risk (common & offline attacks): —

Entropy (approximate, bits)

💡 Pro Tip: Use this checker to test your passwords, then upgrade weak ones using a generator and a password manager with MFA. Full Best Practices Guide →

Short, common or previously breached passwords are always marked as very weak, even if they contain numbers or symbols.

Strength estimation uses the zxcvbn model and the Pwned Passwords database via k‑anonymity.

Password checker FAQ

How does this password checker work?

The checker estimates how many guesses an attacker would need to crack your password and how long that could take for very fast offline attacks. It combines a strength model (zxcvbn) with a check against known leaked passwords, then shows a score, crack‑time estimate, and breach risk based on your input.

What is zxcvbn and what does the score mean?

zxcvbn is an open‑source password strength estimator created by Dropbox. It looks for common words, patterns, keyboard sequences, and substitutions in your password and then estimates its entropy (randomness). It gives a score from 0 to 4, where 0–1 is very weak or weak, 2 is fair, 3 is strong, and 4 is very strong.

What does the breach check do?

When you type a password, we securely hash it in your browser and only send the first few characters of the hash to the Have I Been Pwned Pwned Passwords API. The service returns a list of matching hash endings, and we check locally if your password appears in known data leaks and roughly how many times it was seen.

Do you see or store my password?

No. All analysis starts in your browser, and the full password never leaves your device in plain text. For the breach lookup we only send a partial hash, which cannot be reversed to reveal your password. We also do not log or store any of the passwords you check.

Why is my password marked as poor even though it has symbols and numbers?

Many weak passwords add a number or symbol to a common word or pattern. If your password is short, based on common words (like “password”, “qwerty”, your name, or simple sequences), or appears in known leaks, it will still be rated poor because attackers try those first in real‑world attacks.

What should I do if this tool says my password was found in a breach?

Stop using that password anywhere you use it, change it immediately on every site where it was reused, and replace it with a unique, longer password or passphrase. You should also turn on two‑factor authentication (2FA) wherever possible to protect your accounts even if a password is compromised.

How can I create a strong password after this tool says mine is weak?

Use the Password Generator for complex random passwords that you store in a password manager, or the Passphrase Generator for memorable multi‑word phrases. Both create high‑entropy credentials that are much harder to guess or crack than short, reused passwords.

Do I have to remember every strong password myself?

No. The easiest way is to use a reputable password manager to store and autofill long, unique passwords for each site. Then you only need to remember one strong master password or passphrase and keep a backup recovery method in case you lose access.

Is using a passphrase better than a traditional password?

For many people, a long passphrase made of several random words is easier to remember and can be very strong when it is long enough and not based on a well‑known quote or song lyric. You can try the passphrase generator on this site to create high‑entropy phrases that are easier to type and remember.