Password Strength Checker
Check how secure your password is. Core evaluation runs in your browser; the optional breach check sends only a SHA-1 hash prefix to HIBP.
Core strength evaluation runs in your browser. The optional HIBP check sends only a SHA-1 hash prefix.
Password Generator
Create strong, random passwords instantly with customizable length and character types.
Passphrase Generator
Create strong, memorable word-based passphrases that are easy to remember.
Frequently Asked Questions
Will my password be sent anywhere?
Normal strength evaluation follows SecurePass's secret-values-are-not-automatically-sent policy and runs in your browser. If you press the optional HIBP breach-check button, the browser hashes the password locally and sends only the first 5 characters of the SHA-1 hash directly to Have I Been Pwned. SecurePass also requests a same-origin static metrics file to estimate button usage; that request contains no password, hash prefix or suffix, password length, result, breach count, or identifier.
How is crack time calculated?
We calculate the password's entropy (randomness) in bits, then estimate how long a brute-force attack would take at 10 billion attempts per second (a realistic rate for modern GPUs). The time shown assumes the attacker tries half the keyspace on average.
How can I make my password stronger?
Use at least 12 characters (16+ is ideal). Mix uppercase, lowercase, digits, and symbols. Avoid dictionary words, keyboard patterns like "qwerty", and personal information. The best approach is to use a randomly generated password from a password generator.
Does "Very Strong" mean absolutely safe?
No rating can guarantee absolute safety. "Very Strong" means your password has high entropy and resists brute-force attacks, but security also depends on how you store and use it. Never reuse passwords across services, and consider using a password manager.