ZenovayTools

Password Strength Meter

Analyze password strength in real time. Check entropy, crack time estimates, character set diversity, and get actionable suggestions to make passwords stronger.

How to Use Password Strength Meter

  1. 1Type or paste a password into the input field.
  2. 2See the strength score, entropy bits, and crack time estimate.
  3. 3Review which character sets are used (uppercase, lowercase, digits, symbols).
  4. 4Follow the suggestions to create a stronger password.
Zenovay

Privacy-first analytics for your website

Understand your visitors without invasive tracking. GDPR compliant, lightweight, and powerful.

Explore Zenovay

Related Tools

Password GeneratorGenerate strong, random passwords with customizable length, characters, and complexity.
Password Strength CheckerCheck how strong your password is. Get an estimated crack time and improvement suggestions.
HMAC GeneratorGenerate HMAC signatures using SHA-256, SHA-384, or SHA-512 with the Web Crypto API.
AES Encryption/DecryptionEncrypt and decrypt text using AES-GCM with PBKDF2 key derivation. Runs entirely in your browser.

Frequently Asked Questions

How is password strength calculated?
Password strength is primarily measured by entropy: the number of bits needed to represent all possible passwords of that type. Formula: entropy = log2(charsetSize^length) = length × log2(charsetSize). A password using 72 characters (mixed case + digits + symbols) that is 12 characters long has ~72 bits of entropy. Each additional character multiplies the keyspace by the charset size — length matters more than complexity for entropy.
What is a good password entropy?
NIST (SP 800-63B) and security researchers recommend at least 80 bits of entropy for sensitive accounts. Common thresholds: <28 bits = very weak (trivially cracked), 28-35 = weak, 36-59 = fair (hours to crack with GPU), 60-79 = strong (years to crack), 80+ = very strong (centuries). Modern GPUs can test billions of passwords per second. Password managers that generate 20+ character random passwords typically exceed 128 bits.
Why is password length more important than complexity?
Adding one character multiplies the search space by the charset size (~26-95 depending on charset). Adding a symbol class adds ~33 characters to the charset, but that only multiplies space by about 2.5×. Adding one more character to a 10-char password multiplies space by 95×. A 16-character lowercase-only password has ~75 bits of entropy — more than an 8-character "complex" password (52 bits). NIST now recommends length requirements over complexity rules.
What patterns make passwords weak?
Common weak patterns: dictionary words ("password", "dragon"), keyboard walks ("qwerty", "123456"), dates ("01011990"), names + numbers ("Alice2024"), leet substitutions ("p@ssw0rd" — these are in cracker dictionaries), repeated characters ("aaaaaa"), very short passwords (<8 chars). Modern crackers use pattern-aware attacks (Hashcat rules) that try these transformations, so "complex" but patterned passwords are weaker than they appear.
What is the difference between hashing algorithms for passwords?
Password hashing algorithms are intentionally slow to resist brute-force attacks. MD5/SHA-1/SHA-256: fast hash functions — NOT suitable for passwords (GPUs do billions/sec). Bcrypt: designed for passwords, work factor 10-14 recommended (~100-1000ms). Argon2 (winner of Password Hashing Competition 2015): memory-hard, current best practice. scrypt: memory-hard like Argon2. PBKDF2: FIPS-compliant, used in WPA2. The slower the hash, the harder to crack — even weak passwords are protected better by strong hashing.