Password Strength Checker
Test any password’s strength and see an estimated crack time. Fully private — the check runs in your browser and nothing is ever transmitted.
How the strength check works
This checker estimates password strength the way security researchers do: by calculating entropy — the number of bits of unpredictability — from the length and the variety of characters you used. It then converts that into an estimated crack time assuming a fast offline attacker testing about 10 billion guesses per second, the kind of speed possible against a stolen, poorly-hashed password database.
It also flags weaknesses that raw entropy misses: passwords that appear on common-password lists, obvious sequences like 1234, and repeated characters. Everything happens in your browser — your password is never sent over the network, so it is safe to test even a real one.
Crack-time estimates are a guide, not a guarantee. Real attack speed depends on how the site stored your password (a slow hash like bcrypt is far harder than a fast one) and whether the password appears in a breach. Treat this as a relative indicator and always pair a strong password with two-factor authentication.
How to make a weak password stronger
The fastest wins are length and unpredictability. A memorable passphrase of four or five random words is both strong and easy to recall; or skip memorising entirely and let our password generator create one for you, stored in a password manager. For the full method, read how to create strong passwords.
Frequently asked questions
Is it safe to type my real password here?
Yes. The check runs entirely in your browser with JavaScript — your password is never transmitted to Tudug or any server, and nothing is logged or stored. You can verify this by disconnecting from the internet; the tool still works.
How is crack time calculated?
We estimate entropy from your password's length and character variety, then assume an offline attacker guessing about 10 billion passwords per second. That is a deliberately fast, worst-case figure so the result errs on the side of caution.
Why does a common password score so low even if it is long?
Because attackers try known passwords and leaked lists first, before brute force. A long but common or breached password can be cracked instantly regardless of its length, so we cap its score.
What is a good entropy target?
Aim for at least 60 bits for everyday accounts and 80+ bits for important ones (email, banking, password manager). A random 14–16 character password or a 4–5 word passphrase clears that easily.
Does adding symbols matter more than length?
Length usually wins. Each extra character multiplies the possibilities, so a longer password generally beats a short one peppered with symbols. Use both where you can, but never sacrifice length.
This tool runs entirely in your browser — nothing you type is sent to our servers. Tudug is reader-supported and may earn from ads.
More free tools
Password Generator
Create strong, random passwords with custom length and character sets.
Open tool →Download Time Calculator
Estimate download time from file size and connection speed.
Open tool →Screen Resolution & DPI
Work out pixel density, aspect ratio and total megapixels.
Open tool →