Password Policy Checker
NIST Password Guidelines (SP 800-63B)
✓What Organizations SHOULD Do
- •Minimum Length: Require at least 8 characters for user-chosen passwords, 6 for machine-generated
- •Maximum Length: Allow at least 64 characters
- •All Characters: Accept all printable ASCII characters, including spaces
- •Unicode: Support Unicode characters (emojis, international characters)
- •Breach Checking: Compare passwords against lists of commonly used, expected, or compromised passwords
- •Rate Limiting: Limit failed authentication attempts (to prevent brute force)
- •Show Password Option: Offer option to display the password while typing
- •Password Managers: Allow paste functionality (don't block password managers)
✗What Organizations SHOULD NOT Do
- •Composition Rules: Don't impose arbitrary complexity requirements (e.g., "must include uppercase, number, and special character")
- •Password Expiration: Don't require periodic password changes without evidence of compromise
- •Password Hints: Don't use knowledge-based authentication (e.g., "What is your mother's maiden name?")
- •SMS 2FA: Don't use SMS as two-factor authentication (use authenticator apps or hardware tokens instead)
- •Truncation: Don't silently truncate passwords
Key Principles
A longer password (e.g., "correct horse battery staple") is generally more secure than a shorter complex one (e.g., "P@ssw0rd!").
Complex rules frustrate users and often lead to predictable patterns (e.g., "Password1!", "Password2!").
Check passwords against breach databases rather than forcing arbitrary complexity.
MFA is more effective than complex password requirements for security.
Password Security Tips
- ✓Use a password manager to generate and store unique passwords
- ✓Create passphrases with 4-5 random words (e.g., "correct-horse-battery-staple")
- ✓Never reuse passwords across different sites
- ✓Enable two-factor authentication (2FA) whenever available
- ✓Avoid personal information (names, birthdays, addresses)
- ✓Change passwords immediately if a service reports a breach
Key Features
Real-Time Analysis
Get instant feedback as you type. See strength scores, entropy calculations, and crack time estimates in real-time.
Comprehensive Checks
Tests against common passwords, sequential patterns, keyboard layouts, and repeated characters for thorough analysis.
100% Private
All analysis happens in your browser. Your passwords never leave your device - nothing is sent to our servers.
Entropy Calculator
Calculate password entropy in bits to understand the randomness and strength of your password mathematically.
Crack Time Estimates
See how long it would take to crack your password using both online and offline attack methods with modern GPUs.
Policy Compliance
Test passwords against customizable policies and check compliance with NIST guidelines (SP 800-63B).
Password Strength Indicators
Our password strength checker evaluates your password across multiple dimensions:
Length
The most important factor in password security.
- • Minimum: 8 characters
- • Recommended: 12+ characters
- • Optimal: 16+ characters
Character Variety
Using different character types increases complexity.
- • Lowercase letters (a-z)
- • Uppercase letters (A-Z)
- • Numbers (0-9)
- • Special characters (!@#$%^&*)
Pattern Avoidance
Avoid predictable patterns attackers check first.
- • No sequential characters (abc, 123)
- • No keyboard patterns (qwerty)
- • No repeated characters (aaa, 111)
- • No common substitutions (@ for a)
Uniqueness
Avoid commonly used passwords and personal info.
- • Not in breach databases
- • Not a dictionary word
- • No personal information
- • Unique to each account
Understanding Entropy
Password entropy measures the unpredictability of a password, expressed in bits. Each bit doubles the number of possible combinations.
Entropy Scale
Crackable in seconds. Never use for any account.
Vulnerable to dedicated attacks. Avoid for important accounts.
Acceptable for most low-value accounts with 2FA enabled.
Secure against modern attacks. Good for most accounts.
Extremely secure. Recommended for high-value accounts.
Example Calculation
A 12-character password using lowercase letters (26), uppercase letters (26), numbers (10), and symbols (32) has:
- • Character pool: 26 + 26 + 10 + 32 = 94 possible characters
- • Total combinations: 94^12 = 4.76 × 10^23
- • Entropy: log₂(94^12) ≈ 79 bits
- • This password would be classified as "Strong"
Common Password Weaknesses
❌ Avoid These
- •Dictionary Words: password, letmein, welcome
- •Simple Patterns: 123456, abc123, qwerty
- •Personal Info: name, birthday, address
- •Simple Substitutions: P@ssw0rd, L3tm31n
- •Short Passwords: Anything under 8 characters
✓ Use These Instead
- •Random Passphrases: correct-horse-battery-staple
- •Password Manager: Let software generate random strings
- •Long & Unique: 16+ characters, different for each site
- •Diceware Method: Roll dice to pick random words
- •Enable 2FA: Add another layer of security
Frequently Asked Questions
Find answers to common questions
Need Help Securing Your Organization?
Our cybersecurity experts can help you implement enterprise password policies, multi-factor authentication, and comprehensive security training.