Skip to main content
M
Assess

Password Checker

Understand what makes a truly strong password, learn common weaknesses to avoid, and test your password habits against modern security standards.

Why Passwords Still Matter

Despite advances in biometrics, passkeys, and multi-factor authentication, passwords remain the primary gatekeeper for the vast majority of online accounts. A weak password is like a flimsy lock on a front door — it may look like it is doing its job, but it offers little real resistance to someone determined to get in.

The reality is that attackers do not sit at a keyboard guessing your password one attempt at a time. Modern password cracking uses automated tools that can test billions of combinations per second. Passwords that feel clever or complex to a human — like P@ssw0rd! or Summer2024! — are trivially easy for these tools to break because they follow predictable patterns.

Understanding how password attacks work gives you the knowledge to create passwords that genuinely resist them.

How Passwords Get Compromised

Knowing the attack methods helps you understand why certain password practices matter more than others.

Brute Force Attacks

A brute force attack systematically tries every possible character combination until it finds the right one. Short passwords fall quickly to this approach. A six-character password using only lowercase letters has roughly 300 million possibilities — which a modern computer can exhaust in seconds. Adding length increases the possibilities exponentially: a 16-character password with mixed character types has more combinations than there are atoms on Earth.

Dictionary Attacks

Rather than trying random combinations, dictionary attacks use lists of common words, phrases, names, and known passwords. These lists include millions of passwords leaked from previous data breaches, common words in multiple languages, names, dates, and predictable patterns like "qwerty" or "123456."

Credential Stuffing

When a website is breached, the stolen usernames and passwords are compiled into massive databases. Attackers then automatically try these credentials across hundreds of other websites, betting that people reuse the same password. If you use the same password for your email and a small online forum, and that forum gets breached, your email is now at risk.

Social Engineering

Some attacks bypass the password itself and target the person. Phishing emails, fake login pages, and pretexting (impersonating IT support, for example) trick people into willingly handing over their credentials. No password strength can protect against voluntarily giving it away.

What Makes a Strong Password

Truly strong passwords share a few key characteristics. Focus on these principles rather than trying to memorize complex rules about special characters.

Length Is the Single Most Important Factor

Every additional character in a password multiplies the number of possible combinations exponentially. A 20-character password made of common English words is dramatically stronger than an 8-character password filled with symbols. Security experts now recommend a minimum of 16 characters for important accounts, and longer is always better.

Randomness Defeats Pattern Recognition

Humans are predictable. We capitalize the first letter, put numbers at the end, and substitute "@" for "a" or "0" for "o." Attackers know this and their tools account for it. True randomness — whether from a password manager's generator or from randomly selecting words — is far harder to crack.

Uniqueness Prevents Cascade Failures

Every account must have its own unique password. When you reuse a password, you are only as secure as the weakest site in the chain. A breach at one service should not compromise all your other accounts.

The Passphrase Approach

One of the most effective and memorable methods for creating strong passwords is the passphrase: a sequence of four to six randomly selected words. For example, "correct horse battery staple" is both easier to remember and harder to crack than "Tr0ub4dor&3." The key is that the words must be truly random — not a meaningful phrase, song lyric, or quote.

To generate a random passphrase, you can use a word list and dice (known as Diceware), or let a password manager generate one for you. Avoid picking words that relate to each other or to your personal life.

Common Patterns to Avoid

Password cracking tools are specifically designed to exploit the patterns humans fall into. Here are the most common weaknesses to eliminate from your passwords:

Personal Information

  • Your name, spouse's name, children's names, or pet names
  • Birthdays, anniversaries, or graduation years
  • Street addresses, ZIP codes, or phone numbers
  • Favorite sports teams, bands, movies, or fictional characters
  • Your username, email address, or any part of it

Predictable Structures

  • Capital-lowercase-numbers-symbol — Patterns like Password123! follow the most commonly expected structure and are tried first in attacks
  • Keyboard walks — Sequences like qwerty, asdfgh, or zxcvbn are among the first patterns tested
  • Number sequences — Any pattern like 123456, 111111, or 654321
  • Leet speak substitutions — Replacing letters with similar-looking numbers or symbols (a to @, e to 3, s to $) adds almost no security because cracking tools routinely apply these transformations
  • Appending the year or a single digit — Adding the current year or "1" to the end of a word is extremely common and easily anticipated

Previously Breached Passwords

If a password has appeared in any previous data breach, it is effectively public knowledge. Attackers maintain comprehensive databases of every leaked password, and these are the first values tested in any attack. Common examples that appear in virtually every breach list include variations of "password," "letmein," "welcome," "monkey," "dragon," and hundreds of thousands more.

Test Your Password Knowledge

Use the interactive tool below to check how your passwords measure up against modern security standards. This tool runs entirely in your browser — nothing you type is ever transmitted or stored.

Password Strength Checker

Test a password to see how strong it is. We never store or transmit anything you type here.

Enter a password

This tool runs entirely in your browser. No data is sent anywhere.

How Password Strength Is Measured

Password strength is often presented as a simple meter — red, yellow, green — but the underlying methodology is more nuanced. Understanding how strength is calculated helps you make better choices.

Entropy

In information security, entropy measures the unpredictability of a password. It is expressed in bits: the higher the bit count, the harder the password is to guess. Each bit of entropy doubles the number of possible combinations an attacker must try.

  • Below 28 bits — Very weak. Can be cracked almost instantly.
  • 28 to 35 bits — Weak. Vulnerable to targeted attacks.
  • 36 to 59 bits — Moderate. May resist casual attacks but not determined ones.
  • 60 to 127 bits — Strong. Resistant to most automated attacks.
  • 128 bits or above — Very strong. Computationally infeasible to brute-force with current technology.

Estimated Crack Time

A more intuitive metric is how long it would take for a modern cracking setup to guess the password. This depends on the hashing algorithm used by the site storing your password, the attacker's hardware, and the password's entropy. Reputable password strength tools estimate crack time under realistic attack scenarios.

Pattern Detection

Advanced strength checkers go beyond counting character types. They analyze your password for dictionary words, common substitutions, spatial patterns (keyboard walks), repeated characters, sequences, dates, and known breached passwords. A password that looks complex on the surface but follows predictable patterns will score poorly under this analysis.

Password Manager Essentials

The practical reality is that no human can memorize dozens of unique, random, long passwords. This is exactly the problem that password managers solve. A password manager is a secure vault that generates, stores, and auto-fills your passwords so you only need to remember one master password.

What a Password Manager Does

  • Generates strong passwords — Creates truly random passwords of any length for each account
  • Stores them securely — Encrypts your password vault with strong encryption, protected by your master password
  • Auto-fills credentials — Fills in your username and password on websites and apps, reducing the risk of phishing (it will not auto-fill on a fake site)
  • Syncs across devices — Makes your passwords available on your phone, laptop, and tablet
  • Alerts you to breaches — Many managers notify you if a saved password appears in a known data breach

Choosing a Master Password

Your master password is the one password you must memorize, and it must be exceptionally strong. Use a passphrase of five to seven truly random words. Practice typing it until it becomes muscle memory. Do not write it down anywhere digital. If you must write it down temporarily while memorizing it, store the paper in a physically secure location and destroy it once memorized.

The Future of Authentication

The industry is moving toward passwordless authentication through technologies like passkeys. Passkeys use public-key cryptography to authenticate you without a shared secret that can be stolen. They are phishing-resistant, unique to each site, and stored securely on your devices.

While passkeys are not yet universally available, they represent the future of account security. As more services adopt them, you should enable passkeys wherever possible. In the meantime, strong unique passwords combined with two-factor authentication remain the gold standard.

Regardless of how authentication evolves, understanding what makes credentials strong and how attacks work will remain valuable knowledge. The principles of randomness, length, and uniqueness apply to any authentication system.

Quick Reference: Password Best Practices

Essential Password Practices

Use a password manager for all your accounts
A password manager generates, stores, and auto-fills strong unique passwords so you only need to remember one master password. Popular options include Bitwarden, 1Password, and KeePass. Beginner
Generate random passwords of at least 16 characters (or four-plus random words for passphrases)
Length is the most important factor in password strength. Let your password manager generate truly random passwords — they are exponentially harder to crack than anything a human would create. Beginner
Never reuse a password across multiple accounts
Credential stuffing attacks use leaked passwords from one breach to try logging into thousands of other sites. If you reuse passwords, one breach compromises every account sharing that password. Beginner
Enable two-factor authentication everywhere it is available
MFA adds a second verification step that protects you even if your password is stolen. Enable it on every account that supports it, starting with email and financial accounts. See our MFA guide. Beginner
Prefer authenticator apps or hardware keys over SMS for 2FA
SMS codes can be intercepted through SIM swapping attacks. Authenticator apps like Google Authenticator or Authy generate codes locally on your device. Hardware keys like YubiKey offer the strongest phishing-resistant protection. Intermediate
Check if your email appears in known data breaches and change affected passwords immediately
Free services can check if your email has appeared in known breaches. If you find compromised credentials, change those passwords immediately and enable MFA. See our identity theft prevention guide. Beginner
Never share passwords via email, text message, or chat
Messages can be intercepted, stored in server logs, or accessed if either account is compromised. If you must share a credential, use your password manager's secure sharing feature, which encrypts the data end-to-end. Beginner
Enable passkeys on accounts that support them
Passkeys use public-key cryptography tied to your device, making them immune to phishing and credential stuffing. Major services like Google, Apple, and Microsoft now support passkeys — enable them wherever available as a stronger alternative to passwords. Intermediate
Update your password manager and browser regularly
Security tools need their own updates to stay effective. Enable automatic updates for your password manager and browser to ensure you have the latest security patches and features. Beginner
Treat your master password like the key to your entire digital life — because it is
Your master password unlocks every credential in your vault. Use a passphrase of five or more truly random words, memorize it thoroughly, and never store it digitally. If someone cracks your master password, they have access to everything. Beginner

Next Steps

Now that you understand what makes passwords strong and where common weaknesses lie, take action:

  • Protect — Follow our step-by-step guides to set up a password manager and enable two-factor authentication across your accounts.
  • Security Check — Evaluate the broader security measures protecting your digital life beyond just passwords.
  • Digital Audit — Conduct a full inventory of your online accounts to ensure every one is protected.
  • Learn — Explore the foundational principles of digital security and privacy.

Content last reviewed: February 2026