How Strong Is My Password?
Your password is the first line of defence between you and a hacker. Here's how to find out if it's strong enough — and what to do if it isn't.
What Does "Password Strength" Actually Mean?
Password strength is a measure of how difficult it would be for an attacker to guess or crack your password. It depends on three key factors: length, complexity (the types of characters used), and unpredictability (whether it avoids common words, patterns, or personal information).
A strong password isn't just long — it's also random. The password aaaaaaaaaaaaaaaa is 16 characters long but trivially easy to guess. Meanwhile, a shorter but random mix like k9$Tm!xQ2p is far harder to crack despite being only 10 characters.
How Do Hackers Crack Passwords?
Understanding how hackers work helps explain why password strength matters so much. Here are the most common attack methods:
Brute-Force Attacks
A brute-force attack tries every possible combination of characters until it finds the right one. Modern GPUs can attempt billions of guesses per second. Our password strength checker estimates crack time assuming 10 billion guesses per second — a realistic rate for modern hardware.
Dictionary Attacks
Instead of trying every combination, dictionary attacks use lists of common passwords, words, and phrases. If your password is a real word — even with simple substitutions like "p@ssw0rd" — it's likely in a hacker's wordlist already.
Credential Stuffing
When a website gets breached, the stolen passwords are tested against other sites. If you reuse passwords across accounts, one breach can compromise everything. This is why unique passwords for every account are essential.
Rainbow Table Attacks
Rainbow tables are precomputed lookup tables that map password hashes back to plaintext. They're extremely fast but only work against unsalted hashes. Modern password storage should use salted hashes to defend against this.
Password Strength by the Numbers
The following table shows how long a brute-force attack would take at 10 billion guesses per second, based on password length and character types:
| Password | Character Pool | Crack Time |
|---|---|---|
| 6 chars (lowercase) | 26 | Instantly |
| 8 chars (lowercase) | 26 | ~21 seconds |
| 8 chars (mixed case) | 52 | ~15 minutes |
| 8 chars (all types) | 95 | ~6.5 hours |
| 12 chars (all types) | 95 | ~17 thousand years |
| 16 chars (all types) | 95 | ~150 trillion years |
As you can see, length is the single most impactful factor. Every additional character multiplies the number of combinations an attacker must try.
How to Test Your Password Strength
The safest way to check how strong your password is to use a tool that runs entirely in your browser — with no data sent to any server. Our password strength checker does exactly this. Type your password and instantly see:
- Estimated crack time — how long a brute-force attack would take
- Entropy score — a mathematical measure of randomness
- Character pool size — the range of characters in your password
- Strength rating — from "Very Weak" to "Very Strong"
What If My Password Is Weak?
If your password scores poorly, don't panic — but do act quickly. Here's what to do:
- Change it immediately — especially on important accounts (email, banking, social media)
- Use a password manager — tools like Bitwarden, 1Password, or KeePass generate and store strong, unique passwords for every account
- Enable two-factor authentication (2FA) — even if a hacker cracks your password, 2FA provides a second layer of protection
- Check for breaches — visit haveibeenpwned.com to see if your credentials have appeared in known data breaches
For more practical advice, check out our password strength tips and our guide to what makes a good password.
Test Your Password Now
Use our free password strength checker to see how long your password would survive a brute-force attack.
Check Password Strength