What do the 0-4 scores mean?

The 0-4 scale maps to crack time: - **Score 0**: cracked instantly (seconds) - **Score 1**: weak (hours) - **Score 2**: fair (online OK, offline 1-7 days) - **Score 3**: strong (online unbreakable, offline 1+ year) - **Score 4**: very strong (offline >100 years) **Goal**: ordinary accounts **3+**, banking / master password **4**.

What are the "four crack scenarios"?

Four threat models with different attack speeds: - **Online throttle**: service has rate-limit ("3 wrong = 5min lockout"), attackers 100/hour - **Online no throttle**: no limit, 10/s - **Offline slow hash**: attackers have a DB of **bcrypt/argon2** hashes, 10,000/s on CPU - **Offline fast hash**: **MD5/SHA-1** hashes + GPU cluster, 10 billion/s **Your password must survive all 4**, look at the worst-case time.

Does zxcvbn understand non-English passwords?

**Partially**. The popular-passwords list is **global** (some non-English entries). The **dictionaries are English-only**, so non-English proper nouns or words **won't be detected**. **Rule of thumb**: for non-English passwords **subtract 1 score** (zxcvbn 4 = realistically 3 against a localized dictionary attack).

Does the password reach the server?

**No**. zxcvbn-ts is a JS library bundled into the browser, **all analysis client-side**. Dictionaries are local too (~200KB loaded on first analysis). **DevTools → Network** = no requests with the password.

My password manager says it's strong but you say weak, why?

Most managers (1Password, Bitwarden, Keychain) show **entropy bits** or a simpler in-house analysis. Entropy bits **assume randomness** (greatly overestimate for non-random passwords). **zxcvbn is stricter**, it spots patterns, doesn't trust length. "asdfghjkl12345" looks long-and-strong via simple analysis; in zxcvbn = detected keyboard sequence + digits = **weak**. **Trust zxcvbn**.

Score 4 = perfect password?

**Score 4** = strong enough against current attacks (2024-2026). **Not perfect**, it's the cap of zxcvbn's scale. **A password is only as strong as the place you use it**: same score-4 password on 5 services = one breach compromises all. **Rule**: each account = **unique password**, every one **score 3+**, critical (banking, email, manager) **score 4**.

How do I push a weak password's score up?

**Step 1**: apply zxcvbn's suggestions (which point at the specific cause). Typically: **longer** (6+ words for passphrase, 16+ chars for random), **mix alphabets and digits NOT in predictable spots** (not "Password2024", something more random). **Step 2**: regenerate from scratch with the [password generator](/en/password-generator) or [passphrase generator](/en/passphrase-generator). **Any random 6-word passphrase scores 4 automatically**.

Password strength tester - free

Your password

Everything runs locally. The password never leaves your browser.

How do I check whether my password is really strong?

Type a password and get a score 0-4 (from "Very weak" to "Very strong") plus a concrete WHY explanation.

Unlike a simple entropy meter, zxcvbn (the Dropbox library) detects patterns: dictionary words, birth years, keyboard walks (qwerty), repeats, leetspeak (P@ssw0rd), surnames.

Shows crack time across 4 scenarios (online with rate limiting, online without, offline against bcrypt, offline against MD5+GPU). Everything is local, the password never leaves the browser.

How to use it

Type the password, the field is masked (dots). Click the eye icon to reveal.

Read the result live, the color bar shows 0-4 (red→green).

Check the "Detected patterns" section, zxcvbn shows WHICH part is a dictionary word, WHICH is a birth year, WHICH is a keyboard sequence.

Apply the "Suggestions" from the library: "Add another word", "Avoid years", "Use mixed case". Each suggestion raises the score.

Goal: score=4 ("Very strong") + no warnings. Offline-fast crack time >100 years = practically unbreakable.

When this is useful

Five typical situations where a strength rating saves you from disaster:

Auditing your own passwords. Check every password from your manager, start with the weakest.
Corporate policy. Test sample passwords against your rules; see whether "minimum 8 chars, uppercase, digit" actually yields strong passwords (usually not, zxcvbn will show "Summer2024!" is weak despite meeting the criteria).
Team education. Prove that "a password I came up with off the top of my head" has 30 bits of entropy.
New-hire onboarding. Vet the proposed temporary password before account creation.
Passwords for external drives, ZIP archives, PGP keys. Every such password deserves a rigorous test, because it's never single-use.

After finding a weak password, generate a strong one and check it hasn't leaked.

Questions and answers

Entropy from `length × log2(charset)` assumes the password is RANDOM. Most human passwords are NOT random, "Summer2024!" looks like 11 chars = 67 bits, but it's actually a dictionary word + year + common suffix (~25 bits, cracked in hours). zxcvbn recognizes patterns and gives a realistic estimate. It runs against 30,000+ common passwords, dictionaries, dates, keyboard walks.

How do I check whether my password is really strong?

Type a password and get a score 0-4 (from "Very weak" to "Very strong") plus a concrete WHY explanation.

Unlike a simple entropy meter, zxcvbn (the Dropbox library) detects patterns: dictionary words, birth years, keyboard walks (qwerty), repeats, leetspeak (P@ssw0rd), surnames.

Shows crack time across 4 scenarios (online with rate limiting, online without, offline against bcrypt, offline against MD5+GPU). Everything is local, the password never leaves the browser.

How to use it

Type the password, the field is masked (dots). Click the eye icon to reveal.

Read the result live, the color bar shows 0-4 (red→green).

Check the "Detected patterns" section, zxcvbn shows WHICH part is a dictionary word, WHICH is a birth year, WHICH is a keyboard sequence.

Apply the "Suggestions" from the library: "Add another word", "Avoid years", "Use mixed case". Each suggestion raises the score.

Goal: score=4 ("Very strong") + no warnings. Offline-fast crack time >100 years = practically unbreakable.

When this is useful

Five typical situations where a strength rating saves you from disaster:

Auditing your own passwords. Check every password from your manager, start with the weakest.
Corporate policy. Test sample passwords against your rules; see whether "minimum 8 chars, uppercase, digit" actually yields strong passwords (usually not, zxcvbn will show "Summer2024!" is weak despite meeting the criteria).
Team education. Prove that "a password I came up with off the top of my head" has 30 bits of entropy.
New-hire onboarding. Vet the proposed temporary password before account creation.
Passwords for external drives, ZIP archives, PGP keys. Every such password deserves a rigorous test, because it's never single-use.

After finding a weak password, generate a strong one and check it hasn't leaked.

Questions and answers

Password strength tester

How do I check whether my password is really strong?

How to use it

When this is useful

Questions and answers

Related tools

Password Generator

Passphrase Generator

Pwned Password Check

Password strength tester

How do I check whether my password is really strong?

How to use it

When this is useful

Questions and answers

Related tools

Password Generator

Passphrase Generator

Pwned Password Check