password-strength-checker
A password strength checker analyses a password against dictionaries, common patterns, keyboard walks, and date sequences β returning entropy in bits, an estimated cracking time at offline-attack speeds, and concrete suggestions to improve the password (longer, less predictable, fewer repeated patterns). The ZTools Password Strength Checker uses Dropbox's zxcvbn algorithm, the de facto industry standard, runs entirely in the browser (so the password never leaves your device), and gives a 0β4 score plus actionable feedback rather than the misleading "must contain a special character" theatre that does not actually measure strength.
Use casesβ
Setting your own master passwordβ
Picking a password manager master password matters. Test before locking it in; aim for score 4 + 80+ bits entropy + "centuries" estimated crack time.
Form-side strength meterβ
Sign-up forms guide users to stronger passwords. Embed zxcvbn-style feedback so users see why "Summer2026!" is weak β it matches a known pattern.
Audit company passwords during trainingβ
In a security training session, demonstrate why dictionary-based passwords fall in seconds. Use synthetic examples (never real shared ones).
Checking a leaked passwordβ
After a breach notice, test whether your replacement password is dramatically stronger than the old one. (Tip: also check at haveibeenpwned for known leaks.)
How it worksβ
- Type the password β Local-only field; password never sent anywhere. Keyboard input updates strength feedback live.
- zxcvbn analysis β Dictionary lookup (English + L33t variants), keyboard-walk detection, repeat / sequence detection, year detection.
- Read the score β 0 (terrible) to 4 (great). Plus entropy bits and estimated crack time at modern offline-attack speeds (~10 billion guesses/sec).
- Read suggestions β Concrete fixes: "add 3 more characters", "avoid common words", "do not end in a year".
- Improve and re-test β Iterate until score 4 and entropy β₯ 70 bits for a genuine master password.
Examplesβ
Input: Password123
Output: score=0, entropy=8 bits, crack_time=instant, suggestion="too common"
Input: correct horse battery staple
Output: score=4, entropy=44 bits, crack_time=centuries (4 random common words)
Input: Tr0ub4dor&3
Output: score=2, entropy=29 bits, crack_time=1 day (predictable substitution pattern)
Frequently asked questionsβ
Why does my "complex" password score low?
zxcvbn detects substitutions (aβ@, oβ0, etc.) and patterns (Capitalized + year + symbol). "Tr0ub4dor&3" looks complex but matches a known generation pattern, so attackers crack it quickly.
What is a good entropy target?
60+ bits for individual accounts, 80+ for master passwords or anything protecting many accounts. Each bit doubles the cracking time.
Are passphrases better than passwords?
Generally yes β 4 random common words ("correct horse battery staple") beats a typical 8-character password by orders of magnitude in both entropy and memorability.
Is the password sent to a server?
No. zxcvbn runs entirely in JavaScript in your browser. The password never crosses a network.
Should I rely on score 4 alone?
Score 4 is necessary but not sufficient. Also: never reuse passwords across sites, enable 2FA where available, store in a password manager.
What about quantum cracking?
Symmetric-key brute force is hardly affected by quantum (Grover gives a square-root speedup). 80+ bits remains safe for the foreseeable future. Asymmetric keys (RSA, ECC) are the ones at quantum risk.
Tipsβ
- Aim for passphrases of 4+ random common words plus one number / symbol β high entropy, easy to remember.
- Never reuse a master password anywhere else.
- Use a password manager to generate and store per-site unique passwords; only one master needs human memorisation.
- Add 2FA on every account that supports it β even a strong password is one breach away from leaking.
- Re-check master password strength annually as cracking hardware improves.
Try it nowβ
The full password-strength-checker runs in your browser at https://ztools.zaions.com/password-strength-checker β no signup, no upload, no data leaves your device.
Last updated: 2026-05-05 Β· Author: Ahsan Mahmood Β· Edit this page on GitHub