Your password stays in your browser
The very first thing to understand: your password is never sent anywhere. All analysis runs via JavaScript in your browser tab. There is no server-side call, no network request, no logging. You can even disconnect from the internet and the checker will still work.
zxcvbn breaks the password into patterns
The zxcvbn library (open-sourced by Dropbox) tokenizes your password into segments. It looks for dictionary words, names, common substitutions (like @ for a), keyboard walk patterns (like qwerty), date sequences, and more. Each segment is scored independently.
Guesses required is calculated
For each segment, zxcvbn estimates how many guesses an attacker would need to find it. These are combined to give a total "guesses" figure. This is far more meaningful than simple character-type counting, because it reflects how real attacks actually work — dictionary attacks come before brute force.
Crack time is estimated per scenario
The guesses figure is divided by different hardware speeds: throttled online attacks (~100/hr), unthrottled online (~10/sec), offline slow hashing (~10,000/sec, like bcrypt), and offline fast hashing (~10 billion/sec, like MD5/SHA1). This gives you four realistic time-to-crack numbers.
Score 0–4 and suggestions are generated
zxcvbn maps the guesses to a score from 0 (too guessable) to 4 (very unguessable). It also generates human-readable feedback — for example, warning you that "hunter2" is a common password or suggesting you add more random characters. We display all of this in real-time as you type.
The old way: character counting
Traditional meters give points for uppercase letters, numbers, and special characters. This leads to absurd results — P@ssw0rd! scores as "strong" on most meters despite being one of the first passwords attackers try. It measures complexity, not security.
The zxcvbn way: pattern matching
zxcvbn uses a corpus of millions of real-world passwords, names, common words, and keyboard patterns to estimate how many guesses an attacker would need. P@ssw0rd! gets a score of 0 because it matches known patterns, regardless of the character types used.
Massive dictionaries built in
The library includes the 10,000 most common English words, 10,000 common passwords from breach data, first and last names, US cities, English Wikipedia terms, and TV/movie words. These are compressed and shipped with the library — no server needed.
Leet-speak & keyboard walks detected
Substituting 3 for e, @ for a, or 0 for o adds almost no security. zxcvbn models these transformations and adjusts the guess count accordingly. Keyboard patterns like qwerty, zxcvbn, or 1qaz2wsx are also in the pattern library.
| Score | Label | Estimated Guesses | Real-world example | Recommendation |
|---|---|---|---|---|
| 0 | Very Weak | < 1,000 | password, 123456, qwerty | Change immediately |
| 1 | Weak | < 1,000,000 | P@ssw0rd, dragon1 | Significant improvement needed |
| 2 | Good | < 100,000,000 | Moderate length with variety | Acceptable for low-value accounts |
| 3 | Strong | < 10 billion | Random 12-char mix | Good for most accounts |
| 4 | Very Strong | 10 billion+ | Long random, good passphrase | Excellent — use a manager to store it |
🔢 Understanding Entropy
Entropy is a measure of unpredictability, expressed in bits. The more bits of entropy a password has, the harder it is to crack by brute force. It's calculated based on the size of the character set and the length of the password:
// Example: 16-char password using upper + lower + digits + special
charset_size = 26 + 26 + 10 + 32 = 94
Entropy = 16 × log₂(94) ≈ 16 × 6.55 ≈ 104.8 bits
However, entropy calculated this way is an upper bound — if your password contains patterns (dictionary words, repeats, keyboard walks), the effective entropy is much lower. That's exactly what zxcvbn corrects for: it measures the actual guesswork required, not the theoretical maximum.
As a rule of thumb, aim for at least 70–80 bits of effective entropy for important accounts. Our generator's default 16-character random password achieves this comfortably.
🌐 Online throttled
Represents a typical login form with rate limiting. Attackers submit guesses one by one over a web interface. Most sites block accounts after 5–10 failed attempts, so this is the most realistic scenario for most accounts.
🌐 Online unthrottled
A login endpoint with no rate limiting or lockout. Attackers can spam guesses freely. Unfortunately common on poorly-secured sites. Your password should survive at least this level.
💾 Offline slow hash
Represents an attacker who has stolen a database of passwords hashed with a slow algorithm like bcrypt, scrypt, or Argon2. These are deliberately slow to compute. Good sites use these.
⚡ Offline fast hash
Represents a database breach where passwords were hashed with a fast algorithm (MD5, SHA-1, unsalted SHA-256) — or stored in plaintext. Modern GPUs can test 10+ billion guesses per second. This is the worst case and your password's primary target.
See it in action
Try the checker with your own passwords and see exactly how the analysis plays out.
Open the Checker →