Irreva logo
Explore Irreva
AboutPrivacyTermsContact
DeveloperApril 9, 2026· 5 min read· Updated June 10, 2026

How to Check Password Strength Online

Hasanur Rahman

Written by Hasanur Rahman

Founder & Full-Stack Developer · Irreva · Rangpur, Bangladesh

A password strength checker tells you how long your password would take to crack and what weaknesses it has. Not all password checkers are equal — some just count characters, while better ones check for patterns, dictionary words, and common substitutions. This guide explains how strength is actually measured and what to look for in a checker.

How password strength is measured

Password entropy measures how unpredictable a password is, in bits. A password chosen randomly from a set of N characters has log2(N) bits of entropy per character. A 16-character password from a 95-character set (printable ASCII) has about 105 bits of entropy — extremely strong.

Simple entropy calculations don't account for patterns, though. 'Password123!' has high theoretical entropy but is a terrible password because it follows predictable patterns that password crackers specifically target. The zxcvbn algorithm (developed by Dropbox) is the most widely used realistic strength estimator — it checks for dictionary words, common substitutions (@ for a, 3 for e), keyboard patterns (qwerty, 123456), and date patterns.

The Irreva Password Strength Checker uses entropy estimation and pattern detection to give a realistic strength score and explanation of any weaknesses found.

  • Very Weak: crackable in seconds (dictionary words, common passwords)
  • Weak: crackable in minutes to hours
  • Fair: might withstand an online attack, not an offline one
  • Strong: would take years of sustained offline cracking
  • Very Strong: effectively uncrackable with current computing

What makes a password weak

Dictionary words in any language are weak — password crackers start with full dictionaries. Adding a number at the end doesn't help much: 'password123' is in every cracker's list. Substitutions like '@ for a' or '3 for e' are also well-known and handled automatically by smart crackers.

Keyboard patterns (qwerty, 1qaz2wsx, asdfgh) are very weak — they're among the first things cracking tools try. Repeating characters (aaaaaa) or sequences (123456, abcdef) offer no real security.

Personal information — your name, birthdate, pet's name, city — is especially weak for targeted attacks. An attacker who knows anything about you will try those values first.

Improving a weak password

The most effective improvement is length. Adding four random characters to a weak password does more for security than complex substitutions on a short password.

Use a password generator rather than modifying existing weak passwords. Human-chosen passwords, even when trying to be complex, follow patterns that remain predictable. A random generator doesn't.

If you need a memorable password, use a passphrase of four or more random, unrelated words: 'correct horse battery staple'. This is both memorable and mathematically strong.

Try these free tools

Password Strength CheckerPassword GeneratorHash Generator

Frequently Asked Questions

Is it safe to type my real password into a strength checker?

Only use a strength checker that runs locally in your browser with no network transmission. The Irreva Password Strength Checker runs entirely client-side — your password never leaves your device. Avoid any tool that sends your password to a server.

What is the NIST guidance on password requirements?

NIST SP 800-63B recommends focusing on length (minimum 8 characters, longer is better) over complexity. It recommends against mandatory complexity rules (uppercase + number + symbol), periodic forced changes, and security questions. It recommends checking passwords against known-compromised password lists.

Does checking if my password was breached reduce security?

Services like HaveIBeenPwned use a k-anonymity technique: your client computes a partial hash of the password and sends only the first few characters of the hash to the API. The server returns all hashes starting with those characters and the client checks locally. Your actual password is never transmitted.

Why do some sites have terrible password requirements?

Many sites have outdated policies based on old guidance (NIST's pre-2017 recommendations) that have since been revised. Maximum length limits, character exclusions, and forced complexity rules are all known to reduce real-world security by encouraging predictable patterns.

How often should I change my password?

Current NIST guidance is: only when there's evidence of compromise, not on a fixed schedule. Frequent mandatory password changes train users to make small predictable changes (password1 → password2) which doesn't improve security. Use a unique strong password and change it if you suspect it's been exposed.

Related articles

How to Generate a Strong Password OnlineRead →What Is a Hash Function — SHA256 and MD5 ExplainedRead →
Hasanur Rahman

About the author

Hasanur Rahman

Founder & Full-Stack Developer · Irreva · Rangpur, Bangladesh

Hasanur Rahman is the founder of Irreva and a full-stack developer based in Rangpur, Bangladesh. He builds all of Irreva's tools with a focus on privacy-first, browser-based processing.

← Back to all articles