$ password-strength
⛨ local-only: runs entirely in your browser. Nothing you enter is transmitted or stored — verify in DevTools → Network, or try it in airplane mode.
start typing to analyze
- online, throttled (100/hour — rate-limited login)
- online, unthrottled (10/sec — no rate limiting)
- offline, slow hash (10⁴/sec — bcrypt/argon2)
- offline, fast hash (10¹⁰/sec — MD5/SHA1 leak)
Notes
Scoring uses zxcvbn, which models how attackers actually guess: dictionaries, keyboard walks, dates, l33t substitutions, and reuse patterns — not naive "one uppercase, one symbol" rules. The four scenarios matter more than the score: a password that survives a website login form may fall in seconds if a database of fast hashes leaks.