loot.tools

Password Strength Checker

Type or paste a password and get an honest read on it: a strength rating, an entropy figure in bits, the size of the character pool it draws from, and a rough time-to-crack against a fast offline attack. It flags the things that make a password easy to guess - too short, only one type of character, repeated runs, sequences like abc or 123, and the passwords that top every breach leak - and tells you exactly how to fix them. Nothing is sent anywhere, hashed against a service, or saved, so it's safe to test a password you actually use.
Security

Type or paste a password to see how strong it is. It's checked right here in your browser - nothing is sent anywhere or saved.

Strength-
0Length
0 bitsEntropy
0Character pool
Time to crack-Rough estimate against a fast offline attack (10 billion guesses a second). A slow, well-salted hash buys you far longer.

How the rating is worked out

The score starts from entropy - the length of the password times the bits each character carries, based on which character types it uses (lowercase, uppercase, digits, symbols). Then it discounts the predictable stretches: a run of the same character or a straight sequence like 1234 adds almost nothing real, so those characters are dropped from the count. A password that shows up on common-leak lists is capped at the bottom no matter how it looks.

What the crack time means

The estimate assumes an attacker who has stolen a password database and is guessing offline against a fast hash - around 10 billion tries a second on commodity hardware. That's a deliberately pessimistic setup. A site that uses a slow, salted hash like bcrypt or Argon2 would take orders of magnitude longer, so treat the number as a worst case, not a promise.

Why it's safe to use

Everything runs in your browser with JavaScript - the password never leaves the page, isn't logged, and isn't checked against any online list. There's no network request involved at all. That's the whole point: you can paste a password you genuinely rely on and find out whether it holds up, without trusting a server with it.