Security Tool

Password Strength Tester

Realistic security score • Entropy • Crack time • Pattern & leetspeak detection

Strength
Score
Entropy
Length
Guesses needed
Crack time — GPU cluster
Crack time — online attack
Powered by zxcvbn — algorithm used by Dropbox, 1Password, Firefox
100% Private
Analysis runs entirely in your browser. Your password is never sent to any server.
Realistic Scoring
Not just entropy — actual attacker guess counts. Detects dictionary words, keyboard walks, dates, and leetspeak.

How to Create a Strong Password

Length is the single biggest factor

Every extra character multiplies crack time exponentially. In 2026, the recommended thresholds are: 16 characters — minimum, 20+ — recommended for all accounts (email, banking, password manager master password). A random 20-character passphrase is astronomically stronger than a complex 8-character password.

Passphrases: randomness is everything

Four or more random words are easier to remember and far stronger than a complex short password. But the key word is random — not any phrase you can think of:

  • WeakIlovefootballandpizza — long but completely predictable; every word is common and the phrase has meaning to you
  • Strongviolet-engine-river-planet-42 — random, unrelated words with no personal connection

A strong passphrase must be: random (no personal meaning), unpredictable (not from books, films, or song lyrics), and unique (never reused across accounts). Use a password manager to generate and store them.

What this tool detects (v2)

  • Dictionary words — 200+ common Italian and English words, even embedded inside longer passwords
  • Leetspeak substitutions — "p@ssw0rd" and "c4n3" are normalised and checked; attackers do this automatically
  • Keyboard sequences — "qwerty", "asdfg", "12345" and their reverses, all lengths from 3 upward
  • Date patterns — years (1900–2099), birthdays, dd/mm/yyyy formats
  • Word+number patterns — "Dog2024!" is the most common format in breach databases worldwide
  • Repeated characters — "aaa", "111", "!!" add no meaningful security
  • Common suffixes/prefixes — "1", "123", "!" appended or prepended to a word

What entropy means

Entropy (bits) measures the theoretical unpredictability of your password based on character set size and length. As a reference: under 40 bits is weak, 60+ is good, 80+ is strong. This tool goes further — zxcvbn models how attackers actually guess, penalising predictable patterns that inflate raw entropy. A password can have high entropy on paper but still be cracked in seconds if it follows a known pattern.

Crack time scenarios explained

GPU cluster — an attacker with an offline cracking rig running 10 billion guesses/second against a leaked hash (MD5, NTLM). This is the worst-case scenario for data breach victims, and the most relevant threat model for choosing a password length.

Online attack — an attacker targeting a live login form, throttled to ~100 attempts/hour. Most accounts survive this unless the database itself is compromised — which is exactly why the GPU scenario matters.

Common mistakes to avoid

  • Using your name, birthday, pet's name, city, or favourite team — all in attacker wordlists
  • Leetspeak substitutions: "p@ssw0rd", "c@ne", "c4lc10" — checked automatically by cracking tools
  • Reusing the same password across multiple sites — one breach exposes all of them
  • Keyboard sequences: "qwerty", "123456", "asdfgh", "zxcvbn"
  • Appending "1!" or "123" to a word to meet complexity requirements
  • Word+year patterns: "Cane2024", "Estate23!", "Admin2025"
  • Passwords under 16 characters — even complex ones fall quickly against a GPU; 16 is the minimum, 20+ is the target

Use a password manager

Bitwarden (free, open source) generates truly random unique passwords of 20+ characters for every site. You only need to remember one strong master password — itself ideally a 5-word passphrase. It also monitors your saved accounts against known breach databases and alerts you automatically.

Two-factor authentication (2FA)

Even a perfect password can be stolen through phishing or server-side breaches. 2FA adds a second layer that stops attackers even when they have your password. Enable it on your email account first — it is the master key to every password reset link and everything else.

✨ What's new in v2
Leetspeak detection (p@ssw0rd, c4n3)
Keyboard walk detection (qwerty, asdf…)
200+ word dictionary (IT + EN)
Passphrase recognition & bonus scoring
Entropy analysis (bits)
Character composition bar
Real-time analysis while typing
GPU cluster crack time (worst-case)