How to Check Password Strength Free — Entropy & Crack Time (2026)

You can check password strength and entropy in your browser using brevio Password Strength Checker — your password never leaves your device. No data is transmitted.

What Makes a Strong Password?

A strong password is difficult to guess both by automated brute-force tools and by humans who know you. The two key factors are length and character variety. A longer password exponentially increases the number of possible combinations an attacker must try. Character variety — mixing uppercase, lowercase, numbers, and symbols — increases the size of the character set, which also multiplies the number of combinations.

Password Entropy Explained

Entropy, measured in bits, quantifies how unpredictable a password is. The formula is: entropy = log₂(charset_size^length), where charset_size is the number of possible characters at each position and length is the number of characters. Each additional bit of entropy doubles the number of guesses required to crack the password.

• A password using only lowercase letters (26 characters) has a charset of 26.
• Adding uppercase gives 52, numbers gives 62, and symbols gives approximately 94.
• An 8-character lowercase password: log₂(26⁸) ≈ 37.6 bits — crackable in hours on a modern GPU.
• A 12-character mixed password: log₂(94¹²) ≈ 78.7 bits — takes years even with dedicated hardware.

Crack Time Estimates

Crack time estimates depend on the attack scenario:

• Online attack. An attacker guessing passwords against a live login form. Rate-limiting typically restricts these to thousands of guesses per second. A 10-character mixed password is safe against online attacks indefinitely.
• Offline attack. An attacker who has stolen a password hash database and is cracking locally on GPUs. Modern GPUs can test billions of MD5 hashes per second. This is why password storage must use slow hashing algorithms (bcrypt, Argon2, scrypt).
• Targeted attack. An attacker who knows personal details about you (name, birthdate, pet names) can use that information to build a targeted wordlist. This attack bypasses entropy calculations entirely — it is the reason personal information should never appear in passwords.

Password Strength Guidelines

• Minimum 12 characters. NIST SP 800-63B guidelines (updated 2024) recommend at least 8 characters but security professionals recommend 12 or more.
• Use all four character classes. Uppercase, lowercase, digits, and symbols together maximise entropy per character.
• No personal information. Names, birthdays, addresses, pet names, and dictionary words dramatically reduce effective entropy.
• No keyboard patterns. qwerty, 123456, asdfgh are in every wordlist and are cracked instantly regardless of entropy calculations.
• Unique passwords per service. A strong password reused across multiple sites becomes weak if any one of those sites is breached and the hash is cracked.

Passphrases

A passphrase is a sequence of random words: correct horse battery staple (from XKCD 936). Four random common English words from a 7,776-word list have entropy of log₂(7776⁴) ≈ 51.7 bits — comparable to a random 9-character mixed password, but far easier to remember and type. Five words reach 64 bits; six words reach 77 bits. Passphrases are particularly good for master passwords (password manager, laptop encryption) where you must type from memory.

Password Managers

The most practical solution for strong, unique passwords across all accounts is a password manager (Bitwarden, 1Password, KeePass). These tools generate and store cryptographically random passwords of any length, eliminating both the memorability and uniqueness problems. You only need to remember one strong master passphrase. The brevio tool is useful for checking passwords you have created manually or for understanding what contributes to password strength.

Two-Factor Authentication

Even a strong password can be compromised through phishing, keyloggers, or data breaches. Two-factor authentication (2FA) — especially using an authenticator app (TOTP) rather than SMS — adds a second layer of protection that renders a stolen password useless without the second factor. Enable 2FA on every service that supports it, prioritising email, bank, and identity provider accounts.