People wonder if their password is a good password. I often come across two distinct groups of people. The first would fall into a "just use any word" category, which is a very bad practice for picking passwords. The second group will mix in a few numbers in order to make the password a lot harder to guess. But, how do you know if you have a secure passphrase?

Good passwords / passphrases:

• ... should be 8 characters or longer, which forces you to use multiple words or extra symbols.
• ... should have upper case, lower case, symbols, and numbers; or at least three of those four groups.
• ... should not be a common word and should not be a common phrase.
• ... should not contain a date, a name, or other things that can be associated with you.
• ... should be created randomly or semi-randomly.
• ... should not be a suggestion when you type in the first few characters into Google.

This password checker will gauge your password and give it a score based on how good of a password it is. It will let you know if you picked a common password (don't do that!) and it will also take into account the probability of letters landing close to each other. For instance, "Q" is almost always followed by "U", so your password's score won't increase much when you type in the "U".

I use cryptographically-minded descriptions to describe how weak or strong a password is. For email accounts, passwords to log into your personal machine, and other things that don't require the most strict authentication, feel free to use a password that is deemed "Weak" or "Reasonable". However, be careful still; if you plan on using a single password for multiple things, I strongly suggest a better password.

This runs completely in your browser and sends no information back to me. If you are paranoid, you can read the source code, unplug your machine from the internet, or just use a password that is similar to yours. Also, please keep in mind that this is an estimate of how strong your password is, and I make no guarantee that the information shown is correct.

Enter your password or passphrase here:

     

Loading ...

• Warnings are shown if you enter a common password.
• Warnings are shown if your password is very short (4 or less characters) or if it is short (less than 8 characters)
• Password strength is determined with this chart, which might be a bit of a stretch for a non-critical password:
  • < 28 bits = Very Weak; might keep out family members
  • 28 - 35 bits = Weak; should keep out most people, often good for desktop login passwords
  • 36 - 59 bits = Reasonable; fairly secure passwords for network and company passwords
  • 60 - 127 bits = Strong; can be good for guarding financial information
  • 128+ bits = Very Strong; often overkill
• The number of bits listed for entropy is an estimate based on letter pair combinations in the English language. To make the frequency tables a reasonable size, I have lumped all non-alphabetic characters together into the same group. Because of this, your entropy score will be lower than your real score when you use several symbols.
• For determining the character set, letters are grouped into a-z, A-Z, numbers, symbols above numbers, other symbols, and other characters. If your passphrase contains a character from the subset, that subset is added to the pool, increasing the size of the character set and increasing the amount of entropy in your password.

For further information, try NIST's Special Publication 800-63, Electronic Authentication Guideline, Appendix A: Estimating Password Entropy and Strength. Also, C.E. Shannon's A Mathematical Theory of Communication. I've also written up some thoughts password security

If you really like this program and you want to include it with your software or on your site, you can download it here: passchk.zip (34 k). The code is licensed under the GPLv3, which may be of importance to note if you are including it as part of your custom software.