Password Strength Tester
Score passwords with zxcvbn — the same engine Dropbox uses. Estimated crack times, weakness reasons, and concrete suggestions. Browser-only.
Scored locally. The password never leaves your browser. Saved-form autofill and password-manager hooks are explicitly disabled on this field.
Scoring engine: @zxcvbn-ts/core + English dictionary (MIT). Originally developed by Dropbox; the modern TypeScript fork is bundled with this page.
About this tool
Most "password strength" widgets are theatre. They look at length and character class diversity (does it have an uppercase? a number? a symbol?) and tell you "Strong!" if you tick the boxes. The boxes don't measure resistance to attackers — they measure compliance with a legacy rule from a 2003 NIST publication that the same NIST has since retracted.
zxcvbn measures something different: the estimated number of guesses an informed attacker would make to find your password. It checks against a 30,000-word dictionary of common passwords and English words, recognizes common letter substitutions (`a→@`, `e→3`, `o→0`, `s→$`), detects keyboard walks (`qwerty`, `1q2w3e`), repeated characters (`aaaa`), date patterns (`birthday1985`), and sequence patterns (`abcdef`, `123456`). Whatever it finds, it backs out from the original entropy estimate.
The score from 0 to 4 maps to estimated guess count: 0 is under 10³ guesses (cracked in milliseconds even with rate limiting). 1 is 10³ to 10⁶ (online attack would crack in hours). 2 is 10⁶ to 10⁸ (online unthrottled would crack in days). 3 is 10⁸ to 10¹⁰ (offline fast-hash attack still feasible). 4 is over 10¹⁰ guesses (genuinely resistant to all the attack scenarios listed). Aim for 4 on anything that protects valuable data.
What the scoring CAN'T do. zxcvbn doesn't know if your password has been leaked in a data breach. A password might score 4/4 here and still be in a breach corpus that an attacker already has. For breach checking, use Have I Been Pwned's password API (which uses k-anonymity so the password itself never leaves your device) — that's a different tool and a different question. zxcvbn answers "if an attacker were guessing fresh, how long would it take?", not "is this password already known to attackers?".
Privacy. The scoring library and its dictionaries load with this page. Once loaded, no further network requests fire as you type. The password lives in component state for the lifetime of the tab and is not stored to URL hash, localStorage, or cookies. The input field has every "save this password" hook the browser recognizes explicitly disabled (`autocomplete="off"`, password manager opt-out attributes) so testing a real password here doesn't pollute your saved-password store.
Frequently asked questions
Is my password sent anywhere when I type it?
No. The scoring runs entirely in JavaScript loaded with this page. The password text stays in component state inside your browser tab. There is no fetch, no XHR, no WebSocket — open DevTools → Network tab and confirm no requests fire as you type.
How does zxcvbn compare to "must have a number, symbol, and uppercase" rules?
Composition rules are bad. They optimize for satisfying a regex, not for resisting attackers. zxcvbn measures actual estimated guess count by simulating dictionary attacks, common substitutions (a→@, e→3), keyboard walks, repeated characters, and date patterns. A password like "P@ssw0rd1" satisfies most composition rules but scores 0–1 in zxcvbn because every transformation it uses is in the attacker's playbook.
What do the four crack-time scenarios mean?
Online throttled: a typical login form that limits guesses (banks, Google). Online unthrottled: a poorly-protected web service or SMS verification flow. Offline slow hash: an attacker who has stolen a password database protected with bcrypt or scrypt. Offline fast hash: the same database protected with MD5 or unsalted SHA-1 — what most breaches leak. Optimize for "offline fast hash" because that's what gets dumped on pastebin.
Why does my long password score only 3/4?
The score caps at 4 ("Very strong") around 10^11 guesses (a few minutes against fast offline hashing). Anything beyond that is irrelevant for typical attack budgets. A 12-character password from a fully random alphabet hits 4. Common-word passphrases hit 4 around 4 to 5 words. zxcvbn does not score "infinity" — at some point more entropy is more entropy and the practical threshold is met.
What about quantum computers / future attacks?
zxcvbn measures resistance to current attacks. Symmetric password resistance is largely unaffected by quantum computers (Grover's algorithm only halves the effective key length, and we're already well beyond that margin for any password scoring 3+). The risks worth worrying about are credential stuffing from breaches and phishing — neither is mitigated by stronger passwords. Use unique passwords per site and a password manager.