About the Handiwork Password Strength Checker
The Password Strength Checker tells you how well a password would hold up against attack. As you type, it measures entropy in bits, estimates how long it would take to crack offline, checks which character types you are using, and flags weaknesses like common passwords, repeated characters, and predictable sequences — then suggests exactly how to improve it. Everything runs locally in your browser, so your password is never transmitted, logged, or stored.
How to use the Handiwork Password Strength Checker
- Type or paste the password you want to test into the field.
- Read the strength rating, entropy in bits, and estimated crack time.
- Follow the warnings and suggestions to strengthen it, watching the meter update live.
How password strength is measured
The core metric is entropy — a measure of unpredictability in bits, calculated from the password’s length and the size of the character set it draws from. More length and a wider mix of letters, numbers, and symbols mean more entropy and exponentially more guesses for an attacker. The checker combines entropy with pattern detection so a long but predictable password (like “Password1234”) is not rated as strong as its raw length suggests.
What the crack-time estimate means
The estimated crack time assumes a well-resourced attacker who has stolen a password database and is guessing offline at roughly ten billion attempts per second. Times under a few hours mean the password is unsafe; you want estimates in the thousands of years or more for important accounts. Real-world online attacks are far slower, but you should always assume the worst case when choosing a password.
Common weaknesses it catches
Length and character variety are not enough on their own. The checker also flags passwords that appear on lists of the most common breached passwords, contain three or more repeated characters in a row, or include keyboard and alphabet sequences like “abc”, “123”, or “qwerty”. These patterns are the first things automated cracking tools try, so the tool lowers the score when it finds them.
Your password stays private
This tool never sends your password anywhere — all analysis happens in your browser using JavaScript, and nothing is saved. That said, the safest habit is to test the style of password you plan to use rather than a real, in-use credential, and to store unique passwords for every account in a reputable password manager.
Frequently asked questions
Is it safe to type my password here?
Yes. The analysis runs entirely in your browser with JavaScript — your password is never sent over the network, logged, or stored. For extra peace of mind you can test a similar password rather than your exact live one.
What is a good entropy value?
Aim for at least 60 bits for everyday accounts and 80 or more bits for email, banking, and other high-value logins. The entropy readout updates live as you change the password’s length and character mix.
Why is my long password still rated weak?
Length helps, but predictable patterns hurt. Common passwords, repeated characters, and sequences like “123” or “qwerty” are easy for cracking tools to guess, so the checker reduces the score when it detects them even if the password is long.
How is the crack time calculated?
It assumes an offline attacker guessing about ten billion passwords per second against a stolen hash. The time is derived from the password’s entropy. It is an estimate of the worst case, not a guarantee.
What makes a strong password?
Length and unpredictability. Use 16 or more characters that mix uppercase, lowercase, numbers, and symbols, avoid dictionary words and patterns, and never reuse a password. A random passphrase or password-manager-generated string is ideal.