Get a real entropy calculation and a crack-time estimate against modern hardware. We flag dictionary words, keyboard walks, and the top 10,000 leaked passwords. Your password is never transmitted.
The real strength of a password is the entropy an attacker has to burn to guess it — not whether it has "one uppercase, one number, one symbol." A 20-character passphrase of random words ("correct horse battery staple") has ~77 bits of entropy. An 8-character password with mixed case, a number, and a symbol ("P@ssw0rd!") has ~25 bits if you count the pool naively, but ~4 bits in practice because it is in every cracking dictionary in existence.
We compute entropy as log2(pool_size) × length, then apply penalties for:
qwerty, asdfgh, 1qaz2wsx.aaaa, 1234, abcd.P@ssw0rd is password. Attackers know this.2024, 1985 are guessed first.The "time to crack" figures assume an attacker with modern GPU hardware performing an offline attack on a stolen hash. For bcrypt or Argon2, a single GPU does roughly 10,000 guesses/second. For unsalted SHA-256 (don't do this), a GPU does billions/second, and a rented 8-GPU cluster does trillions. We report both so you can see the difference a slow hash function makes.
Even a perfect password fails if it's reused, stored in plaintext, or emailed to a colleague. That's why this tool is a teaching aid, not a solution. At enterprise scale you need:
SF365's Secret Scanner ships with 81 pre-compiled regex patterns covering AWS/Azure/GCP, AI API keys, GitHub tokens, database connection strings, and yes — hardcoded passwords. Every commit, every branch.
Start Free Trial →