Password Strength Checker

Analyze password security and get real-time feedback

Privacy Notice: All password analysis happens in your browser. Nothing is sent to a server or stored.

Enter Password

NIST Password Guidelines (SP 800-63B)

These guidelines are from the National Institute of Standards and Technology (NIST) Digital Identity Guidelines.

•
Minimum Length: Require at least 8 characters for user-chosen passwords, 6 for machine-generated
•
Maximum Length: Allow at least 64 characters
•
All Characters: Accept all printable ASCII characters, including spaces
•
Unicode: Support Unicode characters (emojis, international characters)
•
Breach Checking: Compare passwords against lists of commonly used, expected, or compromised passwords
•
Rate Limiting: Limit failed authentication attempts (to prevent brute force)
•
Show Password Option: Offer option to display the password while typing
•
Password Managers: Allow paste functionality (don't block password managers)

•
Composition Rules: Don't impose arbitrary complexity requirements (e.g., "must include uppercase, number, and special character")
•
Password Expiration: Don't require periodic password changes without evidence of compromise
•
Password Hints: Don't use knowledge-based authentication (e.g., "What is your mother's maiden name?")
•
SMS 2FA: Don't use SMS as two-factor authentication (use authenticator apps or hardware tokens instead)
•
Truncation: Don't silently truncate passwords

Length Over Complexity:

A longer password (e.g., "correct horse battery staple") is generally more secure than a shorter complex one (e.g., "P@ssw0rd!").

User-Friendly Security:

Complex rules frustrate users and often lead to predictable patterns (e.g., "Password1!", "Password2!").

Focus on Compromise Detection:

Check passwords against breach databases rather than forcing arbitrary complexity.

Enable Multi-Factor Authentication:

MFA is more effective than complex password requirements for security.

✓Use a password manager to generate and store unique passwords
✓Create passphrases with 4-5 random words (e.g., "correct-horse-battery-staple")
✓Never reuse passwords across different sites
✓Enable two-factor authentication (2FA) whenever available
✓Avoid personal information (names, birthdays, addresses)
✓Change passwords immediately if a service reports a breach