Type a password to see its strength, entropy, and estimated time to crack. This runs entirely in your browser — nothing is sent anywhere.
If your API keys are in the bundle or your database has no row-level security, the password doesn't matter. Get your full Launch Readiness Score in ~60 seconds.
Get my free scorePassword strength is not about complexity rules — it is about entropy. A 12-character random string is exponentially harder to crack than a 16-character password that follows a predictable pattern like "Word+Number+Symbol!". The National Institute of Standards and Technology (NIST) updated its guidance in 2024: drop complexity requirements and minimum character mix rules, focus on minimum length (at least 12 characters) and breach checking instead.
This tool uses the zxcvbn algorithm, which estimates crack time by analysing patterns that real cracking tools exploit: dictionary words, common substitutions (@ for a, 3 for e), keyboard walks (qwerty, 12345), dates, and names. A score of 4 means the password would take years to crack with current hardware. A score of 0 means it could be cracked in seconds.
Most vibe-coded apps either skip password validation entirely — accepting any string as a password — or implement a basic regex like "at least 8 characters, one uppercase, one number." Both approaches leave users exposed. Regex checks can be fooled by "Password1" which scores 1/4 on real strength metrics. Skipping validation entirely means users set passwords like "123456", which appears in breach databases over 24 million times.
Enforce a 12-character minimum. Block passwords from the HIBP breach database. Show a real-time strength meter using zxcvbn or equivalent. Reject anything scoring below 2. Do not expire passwords unless there is evidence of compromise — forced rotation leads users to predictable incremental passwords like "Summer2024!" becoming "Summer2025!". These four controls address the majority of account takeover risk from weak or reused passwords.