We check for common weaknesses like dictionary words, keyboard patterns like "qwerty", repeated characters, date sequences, and common substitutions like @ for 'a' and score your password accordingly.
For security, we analyse your password entirely in your browser. Nothing you type is ever sent to a server without your explicit consent.
You can opt in to check whether your password has appeared in a known data breach. We use the Have I Been Pwned database to determine if your password may have been involved in a previous breach. We submit passwords via a privacy-preserving technique called k-anonymity where only the first 5 characters of a hash of your password are sent and never the password itself.
Length matters more than complexity. A password like "correct-horse-battery-staple" is far harder to crack than "P@ssw0rd!" despite being easier to remember (these types of passwords are called passphrases). Aim for at least 12 characters, and consider using a passphrase to make it easier for you to remember.
Avoid anything predictable: names, dates, keyboard walks (e.g. "qwertyuiop"), or words with obvious character swaps. Attackers run these patterns automatically and if a password feels clever, it's probably already in a word-list.
The best passwords are random, long, and unique to each site. In general, a password manager is the most practical way to do this and there are many online to choose from - do your research!