🌐
PasswordMonster
passwordmonster.com › home
Password Strength Meter
March 3, 2022 - How strong are your passwords? Test how secure they are using the My1Login Password Strength Test.
🌐
Bitwarden
bitwarden.com › password-strength
Password Tester | Test Your Password Strength | Bitwarden
In seconds, they help you determine whether or not your passwords are strong enough to protect your online subscriptions, such as your bank account. ... Specifically, a strength tester measures how long it would take someone else (or, more commonly, an automated computer program) to brute force an attack using every possible letter, number, and special character combination until they crack it.
Videos
16:05
🌐 YouTube
Password Strength Checker in Python - YouTube
January 23, 2022
08:52
🌐 YouTube
Python Project for Beginners: Password Strength Checker Tutorial ...
January 14, 2025
🌐 facebook.com
Test the strength of your password with our new online tool. ...
18:37
🌐 YouTube
Password Strength Checker in Python | Full Python Project (with ...
October 31, 2023
11:46
🌐 YouTube
How To Make Password Strength Indicator Using HTML CSS ...
May 17, 2023
04:48
🌐 YouTube
Check the Strength of a Password Using Python - YouTube
May 9, 2023
View all
View all
🌐
Kaspersky
password.kaspersky.com
Password Checker & Secure Random Password Generator | Kaspersky
Is your password at risk? Check now and generate a strong one in seconds. We do not collect or store your passwords.
🌐
Security.org
security.org › home › how secure is my password? | password strength checker
How Secure Is My Password? | Password Strength Checker | Security.org
October 14, 2020 - Check how secure your password is using our free online tool. How long would it take a supercomputer to crack your password?
🌐
NordPass
nordpass.com › secure password
How Secure Is My Password? | NordPass
It analyzes the syntax of your password and informs you about its weaknesses. It also checks the database of breached passwords and flags your passwords if they have been compromised in a brute-force or dictionary attack.
🌐
Computer Science Field Guide
csfieldguide.org.nz › en › interactives › password-strength-brute
Password Strength - Brute Force - Computer Science Field Guide
Please do not enter real passwords into this activity. ... This shows how long a brute force attack, trying every possible combination, would take to crack your password. It estimates the time based on how long your password is, and what sort of characters are in it.
🌐
UIC
uic.edu › apps › strong-password
Password Meter - A visual assessment of password strengths and weaknesses
This strength tester runs on your local machine and does not send your password over the network · Additional points are given for increased character variety. Final score is a cumulative result of all bonuses minus deductions. Final score is capped with a minimum of 0 and a maximum of 100.
🌐
Antivirus
antivirus.promo › password-strength-checker
Password strength checker. Test your password
Use this password strength checker to test your password. It shows real-time feedback and tips to create strong passwords. We calculate password complexity, entropy, brute force time, and check in blacklists.
🌐
GitHub
github.com › ravisorg › Mellt
GitHub - ravisorg/Mellt: A brute force password checker that returns a meaningful number describing the real world strength of your password
A brute force password checker that returns a meaningful number describing the real world strength of your password - ravisorg/Mellt
Starred by 82 users
Forked by 24 users
Languages   JavaScript 80.5% | Python 6.7% | PHP 6.5% | Ruby 6.3%
Find elsewhere
🌐
Online-domain-tools
password-checker.online-domain-tools.com
Password Checker - Evaluate pass strength, dictionary attack
More accurately, Password Checker Online checks the password strength against two basic types of password cracking methods – the brute-force attack and the dictionary attack. It also analyzes the syntax of your password and informs you about its possible weaknesses.
🌐
IDStrong
idstrong.com › tools › password-strength-checker
Password Strength Checker | Test Your Password Security - IDStrong
November 11, 2022 - Password brute-forcing is a systematic trial-and-error process of trying out all possible combinations of characters until finding the “correct password”. It’s an exhaustive search based on great computing powers and huge databases of ...
🌐
Comparitech
comparitech.com › accueil › privacy security tools › password strength test
Password Strength Test & Strong Password Generator Tool
January 5, 2019 - For passwords of at least 12 characters: Once the password string is obtained, a strength check is performed.
🌐
GRC
grc.com › haystack.htm
GRC's | Password Haystacks: How Well Hidden is Your Needle?
. . or enough later? This interactive brute force search space calculator allows you to experiment with password length and composition to develop an accurate and quantified sense for the safety of using passwords that can only be found through exhaustive search.
🌐
Stack Exchange
security.stackexchange.com › questions › 6499 › best-password-strength-checker
brute force - Best password strength checker - Information Security Stack Exchange
Top answer
1 of 11
13

In theory, password strength checkers do not work. That's because the strength of a password does not depend upon the password value (which you give to the checker) but upon the password generation process (which you do not formalize often, let alone enter in the checker).

In practice, password strength checker use a set of rules which describe common password generation methods; they then tell you how long your password would resist if the attacker uses exactly the same rules. But the attacker does not use exactly the same rules. The attacker is after you; he knows you (if you are attacked only by people who do not know you, then you can consider yourself very lucky -- or very uninteresting). Therefore, the attacker will amend his password brute-force methods so as to target your psyche, your probable password generation methods.

Password strength checkers are good at telling you how robust your password is against incompetent attackers. This has some value, if only because there are so many incompetent wannabe hackers. But it would be a mistake to rely too much on such tools.

2 of 11
9

Synthesizing the answers here, and from looking at the code for several of the (Javascript) password quality checkers, I don't believe there is a checker that fully meets the criteria.

Specifically, while there are several that use wordlists and several that special-case l33t-speak, there are none that do both together in a way that parallels JtR and similar "audit" tools. So "Christmas" is spotted, but the almost-as-insecure "Chr1stm4$" gets a free pass.

Where wordlists are used (Microsoft, Rumkin, How Secure ...), they are generally relatively small. How Secure ... and Rumkin each have ~10K, while JtR has millions of words (across multiple languages).

Also, none of the checkers I found treats the common "append digit/symbol" pattern as any different from "randomly mixed charsets".

If someone wants to extend one of the existing checkers, it probably wouldn't be too hard. Rumkin would be a good place to start (and is GPL licensed), by adding a "de-l33t-ify" step before both the dictionary check and the trigraph frequency lookup. One would also want to add some assumed factor in to reflect the fact that Chr1stma5 is not quite as easy to crack as christmas, e.g. by treating "l33t-ified" as a slightly bigger character set than "letters".

For a corporate environment, spending the time to implement a password change policy of "you get to keep your password until JtR guesses it" (combined with good advice on creating strong passwords/passphrases) would probably be a better persuader -- employees are a captive audience who need to always be able to log in, and people find forced password changes annoying so would soon learn not to use weak passwords (except the CIO who would demand an exemption...). That approach won't work with a public website where irritating your customers may drive them to (less secure!) competitors, though.

🌐
Reddit
reddit.com › r/lastpass › question about brute force attacks and password strength
r/Lastpass on Reddit: Question about brute force attacks and password strength
September 30, 2022 -

According to an online password strength checker, my master password would take a computer 2 hundred octillion years to crack (not sure whether this is a super computer or normal one). It's unique and not used on any other sites. I'm planning to switch from last pass out of principle given the massive security breach but am I right to feel 100% confident that my master password can't be cracked by brute force, or is it not that simple?

Top answer
1 of 5
3
It’s a risk game, you can never be 100% confident. Even if you had a 1000 character password it is possible for hackers to guess it first time. HIGHLY unlikely, but possible. Online strength checkers are often assuming your password is entirely random to calculate the brute force years which in most cases not realistic. For example, a 12-char password if it was entirely random across all 95 AASCI chars, would be secure (millions of years) but ‘My Passw0rd!’ (also 12-char) would be many, many times quicker to crack. Any password that had any patterns would be significantly weaker than random. Search ‘zxcbn password check’ for a password checker that also looks for patterns. Not fool proof but better than most. Personally I would cut the number of guesses it says by a factor of 1000. DO NOT enter your actual password, rather enter a different one that uses the same pattern(s). And cut your internet after the site has loaded to do the check, and then clean your cookies before re-activating.
2 of 5
1
Nothing about this situation should give you 100% confidence.
🌐
Zhredder
zhredder.github.io › PasswordStrengthChecker
Password Strength Checker | PasswordStrengthChecker
A dynamic web application that calculates and visually displays real-time password strength by estimating brute-force time across different computing platforms, from retro machines to quantum computers.
🌐
Mystrongpassword
mystrongpassword.com › passwordmeter.html
Password Strength Checker | Check How Long to Crack Any Password
The tool evaluates your password based on length, character variety (uppercase, lowercase, numbers, symbols), and calculates an estimated time to crack it using brute-force methods.
🌐
MakeUseOf
makeuseof.com › home › security › how strong is your password? use these 4 tools to find out
How Strong is Your Password? Use These 4 Tools to Find Out
March 30, 2021 - The algorithm checks your password security and calculates the estimated time it would take to brute-force your password on an average PC. The algorithm is strong enough to detect dictionary words and common combinations of characters in your password.
🌐
Reddit
reddit.com › r/sysadmin › reliable strength test for master password
r/sysadmin on Reddit: Reliable Strength Test for Master Password
December 31, 2022 -

In light of the recent LastPass breech I looked at different strength test websites to see how long a password would hold up under a offline brute-force attack.

The password I tried was: Aband0nedFairgr0und

This is a a 19 character password with a combination of uppercase/lowercase/numbers (no special characters)

I went to 5 different password strength sites and they all give me wildly different results for how long it would take to crack.

https://www.security.org/how-secure-is-my-password/9 quadrillion years
https://delinea.com/resources/password-strength-checker36 quadrillion years
https://password.kaspersky.com/4 months
https://bitwarden.com/password-strength/1 day

As you can see the results are all over the place!

Can anyone recommend the best/ most upto date resource to check password strength. I am sure people with bitcoin mining farming GPUS can crunch 100s of guesses per second.

PS: Dont worry, Aband0nedFairgr0und is not a password I use and was made up as a test.

Top answer
1 of 5
13
They are clearly making some different assumptions. By raw brute force this would take a while. But these are two dictionary words with common letter to number substitutions and no special characters. A wordlist plus mutations (o->0, l->1, etc) would make this a lot faster than raw brute force. I personally feel that Aband0nedFairgr0und is about as secure as AbandonedFairground which is easily taken care of by running a dictionary attack with two words against this. The first link seems to only use brute force estimation because it doesn't flag your result lower when you use a word like password instead of random letters like akdudlqu.
2 of 5
4
YouCouldJustMakeaShortSentence!!
🌐
I.T.WORKS!
itworks.us.com › home › password strength test
Password Strength Test | I.T.WORKS!
December 15, 2021 - The hackers use a program to cycle through all possible passwords until it finds the one that “opens the lock.” Standard “brute force” programs output 100 BILLION guesses/second.