Need a strong password?

Password Strength Estimator

This tool uses the zxcvbn algorithm developed by Dropbox to guide you to stronger passwords.

This password checker runs entirely in your browser; nothing you type is sent to us.

But it's still a great habit to never type your passwords into a stranger's website, regardless of what they promise you. So type something similar here, rather than your actual password.

You can read more about this tool below.

So What's the Deal With This Strength Estimator?

The way many password strength meters work is by counting how many characters you use, and whether you use a mix of capital and lower case letters, numbers and symbols.

The problem with that is you could type something like Password1 and it might be rated as strong. After all, it's 9 characters long and includes lower case letters, a number and a capital letter.

But in truth, it's one of the easiest passwords to guess.

The idea behind Dropbox's zxcvbn algorithm is to provide a strength rating based on real password cracking techniques.

That means looking not just at the number and variety of characters used, but to check for common words and other guessable patterns.

For a closer look at the algorithm, check out the USENIX conference presentation.

Is Zxcvbn a Perfect Measure of Password Strength?

Probably the best way to measure password strength would be to get a talented security professional to actually crack it.

But that requires money, time, processing power and some amount of savvy to manage.

For something that you can just run in your browser and get immediate feedback, this is actually pretty good.

Still, there are a few shortcomings to this algorithm.

There are some guessable patterns it isn't wise to, such as words with one missing letter.

It's highly biased to the English language.

It also does nothing to stop you reusing a password that's perhaps already been stolen.

Always Be Careful Where You Type Your Passwords

This code runs entirely in your browser; nothing you type is sent to us.

The thing is though, it's crazy to just take our word for that - or anyone else's.

So if you don't have the technical skills to verify whether or not anything you type is sent to a server, then it's a very good habit to not type real passwords into this tool or any other one like it. Just use it to play with a few ideas.

Because, sure, we're on the level. But that's exactly what the bad guys will say.

Learn More About Password Security

If you're keen to know a whole lot more about this, this Computerphile documentary is worth a look: