Password strength visualizer and generator

English

Password Strength Meter

Hold this button (or space/enter) to temporarily show the password characters. The characters re-mask as soon as you let go.

Start typing to calculate strength

Estimated crack time

Entropy

0 bits

Shows how long dedicated offline hardware would need to brute-force this password.

Entropy estimates randomness in bits. Higher bits mean exponentially more guesses.

Suggestions

  • Check how secure your passwords really are
  • Generate safe and unique passwords easily in your browser.

Strength and crack-time values are estimates based on offline attacks. Always add MFA and breach monitoring on top of unique passwords.

Password Generator

Choose a character set to estimate strength.
How many samples?

At least one character set must be selected.

Password / passphraseActions

Generated samples never leave this page. Copy them carefully and clear your clipboard when you are done.

Guidance

Password playbook

Modern password-cracking rigs can test trillions of guesses per second. This checker + generator keeps both passwords and passphrases 100% local, scored by zxcvbn with randomness from Web Crypto.

  1. Make them long. Every extra character exponentially increases search space.
  2. Never reuse across accounts. Breaches travel faster than you can respond.
  3. Mix unrelated words or phrases—think "oceanic-lentil.meridians-velvet".
  4. Add secret "spice": symbols, capitalization flips, or emoji if supported.
  5. Use a password manager to store, sync, and audit your credentials.
  6. Verify nothing leaves your browser: open DevTools → Network and it stays empty while you test or generate.

FAQ

Do you send my password anywhere?
No—scoring and generation stay on this page. Open your browser’s DevTools network tab, type a password, and you’ll see zero requests.
What powers the score?
We rely on the open-source zxcvbn estimator from Dropbox.
Is strength the same as security?
Strength is a proxy for resistance to brute force. Real security also depends on MFA, phishing hygiene, and data-breach monitoring.
How do you keep generation secure and offline?
zxcvbn scoring and the password generator run entirely in this tab. Web Crypto seeds randomness whenever the browser allows it, and DevTools → Network stays empty while you type, so nothing ever leaves your device.

Methodology

Estimator stack

Dropbox’s open-source zxcvbn powers the live score via the @zxcvbn-ts/core bundle that ships with each locale.

  • Combines the upstream common dictionaries with locale-specific vocabularies.
  • Returns score labels, entropy bits, and multi-speed crack-time estimates.

Current release 3.0.4

Local-only processing

Passwords, entropy math, and generated samples never hit a server. The UI only touches the DOM, CSS, and Web Crypto randomness.

  • Web Crypto seeds the generator whenever the browser exposes it.
  • No analytics, keystroke logging, or remote events bind to the input.

Verification tip DevTools → Network stays empty while typing.

Privacy & data handling

No network calls

The tester and generator do not transmit keystrokes, generated passphrases, or telemetry. You can verify this by monitoring the Network tab in DevTools—there are zero requests while typing.

Local-only randomness

Generated passwords rely on the Web Crypto API when available. If not, we clearly label that JavaScript’s PRNG was used so you can decide if the output meets your bar.

No analytics scripts

We do not embed analytics, pixels, or third-party ads on the testing view. When/if we add analytics elsewhere, they’ll be opt-in and never bound to the password field.