๐Ÿ‡ฎ๐Ÿ‡น Italiano
Security Tool

Password Strength Tester

Realistic security score • Crack time estimate • Instant tips

Strength
Score
โ€”
Guesses needed
โ€”
Crack time (offline)
โ€”
Crack time (online)
โ€”
Powered by zxcvbn — algorithm used by Dropbox, 1Password, Firefox
100% Private
Analysis runs entirely in your browser. Your password is never transmitted to any server.
Realistic Scoring
Not entropy โ€” actual attacker guess counts. Recognises dictionary words, dates, and substitutions.

How to Create a Strong Password

Use 20+ Characters

Length is the most important factor. Every extra character multiplies crack time exponentially.

Use Passphrases

Four random words like "correct-horse-battery-staple" are stronger than "P@ssw0rd" and easier to remember.

Avoid Patterns

Word+number+symbol patterns like "Dog123!" are in every attack dictionary. True randomness is what matters.

Use a Password Manager

Bitwarden (free) generates truly random unique passwords for every site. You only remember one master password.

Why pattern-based passwords are weak

Modern password crackers don't try random combinations — they use dictionaries of billions of known passwords, combined with mutation rules: capitalize the first letter, add numbers at the end, substitute letters with symbols. "Cane9999" and "Cane.9999" are both immediately recognizable as word+number patterns and would be cracked in minutes by a targeted attack, regardless of the symbol added.

This checker uses zxcvbn, the same algorithm used by Dropbox and 1Password. Unlike simple entropy calculators, zxcvbn recognises dictionary words, names, keyboard patterns, dates, and common substitutions — and estimates realistic guess counts rather than theoretical brute-force time.

Why password length matters more than complexity

NIST guidelines now prioritise length over forced complexity. A 20-character passphrase of random words is vastly stronger than an 8-character password with symbols, and far easier to remember. Forcing complexity rules leads users to predictable patterns — "Password1!" being the notorious example — which attackers know and target first.

Two-Factor Authentication (2FA)

Even the strongest password can be stolen through phishing or data breaches. 2FA adds a second layer: even with your password, attackers cannot log in without your phone or hardware key. Enable it on every account that supports it — especially email, banking, and social media.

Common mistakes to avoid

  • Using your name, birthday, pet's name, or favourite team
  • Simple substitutions: "p@ssw0rd" is in every attack dictionary
  • Reusing the same password across multiple sites
  • Keyboard sequences: "qwerty", "123456", "asdfgh"
  • Adding "1!" to the end of a word to satisfy complexity requirements
  • Word + number patterns: "Dog2024", "Summer23!", "Admin2025"

How this tool works

This checker uses zxcvbn, an open-source library developed by Dropbox. It estimates the number of guesses an attacker would need using the most efficient known attack strategy. All analysis runs locally in your browser — your password is never sent to any server.