How Password Strength Checkers Work (And Can You Trust Them?)

~/sheets/password-strength-checker-how-it-works.md
That Password Meter Is More Complex Than You Think
You have seen them everywhere — those colored bars that turn from red to green as you type a password. But how do they actually measure strength? Are they accurate? And most importantly, is it safe to type your real password into one? Let us break it all down.
Try it yourself: our Password Strength Checker runs entirely in your browser. Nothing is ever transmitted or stored.
How Password Strength Is Calculated
Modern password strength checkers go far beyond simply counting characters. The best ones use a combination of these methods:
Entropy Calculation
Entropy measures the mathematical randomness of a password, expressed in bits. The formula considers the size of the character set and the password length:
Lowercase only (26 characters): abcdefgh = ~37 bits of entropy
Mixed case (52 characters): AbCdEfGh = ~45 bits of entropy
Mixed case + numbers + symbols (95 characters): Ab3$eF7! = ~52 bits of entropy
14-character mixed: Vx8!nQ#2pL$mK7 = ~92 bits of entropy
Generally, 60+ bits is considered decent. 80+ bits is strong. 100+ bits is excellent. But entropy alone does not tell the full story.
Pattern Detection
Smart checkers identify patterns that reduce effective strength:
Dictionary words — "sunshine" has high raw entropy but is in every cracking dictionary
Keyboard patterns — "qwerty" and "asdfgh" are among the first things attackers try
Common substitutions — "p@ssw0rd" fools nobody. Crackers test these automatically.
Repeated characters — "aaaaaa" has almost zero effective entropy
Sequential numbers — "123456" is the most common password worldwide
Date patterns — "19901225" and similar dates are easily guessable
The best algorithm for this is zxcvbn, developed by Dropbox. It models how real attackers crack passwords by considering dictionaries, keyboard layouts, common names, dates, and substitutions. Our Password Strength Checker uses this approach.
Crack Time Estimation
The most useful metric is estimated crack time. This calculates how long a brute-force or dictionary attack would take based on:
The password's effective entropy after pattern detection
Modern GPU cracking speeds (10+ billion hashes per second for common algorithms)
The attack scenario: online (rate-limited) vs offline (no limits)
A good password should take centuries to crack in an offline attack. If yours shows minutes or hours, it needs to be changed.
Can You Trust Online Password Checkers?
This is the right question to ask. Here is how to evaluate any password checker:
Safe Checkers (Client-Side)
A trustworthy password checker runs entirely in your browser using JavaScript. Your password never leaves your device. You can verify this by:
Opening your browser's developer tools (F12) and checking the Network tab — no requests should fire when you type
Disconnecting from the internet and confirming the checker still works
Checking if the tool is open source so you can inspect the code
Our Password Strength Checker is fully client-side. Disconnect your internet and it works identically — proof that nothing is being sent anywhere.
Dangerous Checkers (Server-Side)
If a password checker sends your password to a server for analysis, you should not trust it unless you fully trust the operator. Warning signs include:
The tool requires an internet connection to work
Network requests fire when you type
The tool asks you to create an account first
There is no clear privacy policy
What About Breach Database Checks?
Some checkers, like Have I Been Pwned, check if your password has appeared in known data breaches. These use a clever technique called k-anonymity: they hash your password, send only the first 5 characters of the hash to the server, and receive back all matching hashes. The comparison happens locally, so the server never sees your actual password or its full hash.
This is safe and useful. If your password appears in a breach database, it is in every cracker's dictionary and should be changed immediately, regardless of its theoretical strength.
Limitations of Password Strength Checkers
Even the best checker cannot account for everything:
Social engineering — no meter can know that "fluffy2015" is your cat's name and birth year, easily found on social media
Targeted attacks — if someone researches you specifically, personal details become weak password components
Phishing — the strongest password in the world is useless if you type it into a fake login page. Enable two-factor authentication to defend against this.
Keyloggers — malware on your device captures passwords regardless of strength
A password strength checker tells you whether your password resists automated cracking. For complete security, you also need 2FA, a password manager, and awareness of phishing.
Building a Complete Security Stack
Password strength is just one piece of the puzzle. Here is the full picture:
Check your exposure — run your email through our Email Breach Checker to see if credentials are already leaked
Test your passwords — use our Password Strength Checker on your most important passwords
Get a password manager — read our Password Manager Guide to set one up in 10 minutes
Enable 2FA everywhere — follow our 2FA guide
Run a full checkup — our Privacy Checkup scores your overall security from A+ to F, covering IP exposure, DNS leaks, VPN status, browser fingerprint, and more
Last updated: April 2026