Password Strength
Checker & Generator

Yes — completely. This tool runs entirely in your browser. Your password is never sent to any server; all calculations happen locally in your device's RAM using JavaScript. You can disconnect from the internet and the tool still works perfectly. The code is open to inspection.

Strength is measured using the entropy formula: H = L × log₂(R), where L is password length and R is the character pool size (e.g. 94 for full ASCII). Each additional bit of entropy doubles the attacker's required guesses. NIST SP 800-63B recommends a minimum of 80 bits of entropy for strong passwords.

A pwned password has appeared in a known data breach database. Even a long, complex password that has been leaked is compromised — attackers use breach lists directly. We check using the k-Anonymity protocol: only the first 5 characters of your password's SHA-1 hash are ever sent to the HaveIBeenPwned API.

Crack time is estimated against 1 trillion (10¹²) guesses per second — a high-end GPU cluster or small botnet benchmark. A 16-character password using all character types provides 100+ bits of entropy, estimated at billions of years with current hardware. Note: these are relative estimates, not absolute guarantees.

Per NIST SP 800-63B: use 12-16+ characters, mix uppercase, lowercase, numbers and symbols, avoid dictionary words or personal information, and aim for 80+ bits of entropy. A random passphrase like "correct-horse-battery-staple" often outperforms short complex passwords like "P@ss1!" in both entropy and memorability.