← ← All Tools
中文

🛡️ Password Strength Checker

Free online password strength checker with pattern detection, crack-time estimation, pinyin/CJK dictionaries, and optional HIBP breach check — all client-side.

Passwords are analyzed locally in your browser — no upload, no storage, no telemetry. The optional HIBP breach check only sends the first 5 hex chars of a SHA-1 hash (k-anonymity).

0 characters · 0 graphemes

Empty
Time to crack (offline GPU)
Breach database check (optional) Sends only first 5 hex chars of SHA-1 to haveibeenpwned.com
Open Password Generator

FAQ

How are the score and crack time calculated?

The tool decomposes your password into recognized patterns (dictionary words, pinyin, dates, years, keyboard walks, sequences, repeats, l33t substitutions); each contributes a guess count, and unrecognized segments fall back to character-class randomness. Dynamic programming finds the lowest total guesses, then divides by attack rate to get time.

Why does the result differ from password-generator's meter?

The generator's meter uses Shannon entropy assuming uniform randomness — so Password1 can appear "fair" or higher. This tool also detects Password's rank in leaked lists and the common-suffix 1 pattern, so it returns a lower, more realistic score.

Does enabling HIBP leak my password?

No. HIBP uses k-anonymity: the tool computes SHA-1 locally and sends only the first 5 hex chars (e.g. 5BAA6). The server returns ~800 matching suffixes with counts; matching happens locally. The server never sees the full hash and cannot derive the password.

Does "Very strong" mean it's forever safe?

No. Scores are based on 2026 commodity hardware; offline fast-hash rates roughly double every 3–5 years. Even at score 4: never reuse, enable 2FA, and store only in a trusted password manager.

Does it understand pinyin and Chinese passwords?

Yes. Built-in CJK / pinyin dictionaries cover common entries like woaini, wodemima, 5201314, zhongguoren, 密码, 我爱你. English-only engines like zxcvbn miss these entirely.

More tools you might find useful.

🔐
AES Encrypt/Decrypt
Client-side AES encryption and decryption with GCM, CBC, and CTR modes, PBKDF2 passphrase derivation and raw key input — keys are not uploaded by the tool
🔐
BCrypt Hash Generator & Verifier
Client-side BCrypt password hash toolkit with three tabs: Generate (cost 4-15, $2a/$2b/$2y version selector, 3 output formats), Verify (auto-parses cost/version with OWASP guidance), and Inspect (dissect any bcrypt hash into prefix/cost/salt/hash). Real-time 72-byte truncation warning, progress bar, cancel button, and mobile-friendly chip controls.
🔐
DES / 3DES Encrypt & Decrypt
Client-side DES and 3DES (2-key/3-key) encryption & decryption with zero dependencies. Supports five modes (ECB/CBC/CFB/OFB/CTR) and five padding schemes (PKCS#7/Zero/ANSI X.923/ISO 10126/No Padding). Independent encoding switchers for Key/IV/Input/Output (Hex/UTF-8/Base64), real-time byte-length hints, built-in NIST test vectors, persistent deprecation banner (DES 2005, 3DES Jan 2024), and K1/K2/K3 key visualization. For education and legacy interop only — keys and plaintext are not uploaded by the tool.
#️⃣
Hash Generator
MD5 & SHA Hash Calculator
🔐
HMAC Calculator
Client-side HMAC calculator with SHA-1/256/384/512, UTF-8/Hex/Base64 key formats, text & file input, and HMAC verification

Password Strength Checker analyzes any password locally in your browser. It detects patterns (leaked password lists, pinyin/CJK common words, keyboard walks, dates and years, sequences and repeats, L33t substitutions) to estimate guesses needed, exposes four attack-speed scenarios (online throttled, online unthrottled, offline slow bcrypt, offline fast GPU), and shows every detected pattern so you see exactly why a password is weak. Everything runs client-side; opt-in Have I Been Pwned k-anonymity lookup sends only the first 5 SHA-1 hex chars — the password is not uploaded by the tool. Great for password review, security training, and policy compliance checks. Common mistakes: judging by length alone, treating Password1 as strong, reusing breached passwords. Pair with a random generator, a password manager, and two-factor authentication.