Password Security Tool
Test password strength against real-world attack scenarios. Generate compliant passwords and check against industry standards.
Pro Tip: Password managers use slow hashing algorithms (PBKDF2/Argon2), making your vault millions of times harder to crack than Windows NTLM.
Enter a password and click Calculate Strength to see detailed analysis
Weak Passwords Across Your Organisation?
Password policy is just one layer of defence. Let our team audit your full authentication stack and credential management practices.
About the Password Security Checker
A password security checker takes a candidate password and scores it against the metrics modern attackers actually use: length, character-set diversity, presence in published breach corpora, and similarity to common dictionary patterns. The score is not just about how long the password is. A 12-character password that consists of a real word followed by a year is weaker than an 11-character passphrase made of unrelated dictionary words, because the word-plus-year pattern is what crackers throw at the hash first.
NCSC password guidance has shifted over the last decade. The current recommendation (NCSC password administration guidance, 2024 update) is to drop forced periodic rotation, drop complexity rules that require a special character, and instead push for length, uniqueness per service, and breach-checking on selection. Multi-factor authentication on every account that supports it is the bigger lever. Password strength is the second lever.
The password checker is the right place to test a candidate password before you set it. It is the wrong place to test passwords already in use, because typing them into any tool (including this one) widens the surface where they have been seen. We do not store the passwords you check, but the right operational discipline is to use a password manager that scores strength internally as you generate.
Common questions
Do you store the passwords I check?
No. Password strings are processed in your browser where possible and never logged server-side. We do not store, transmit to third parties, or retain the candidate passwords you test.
What makes a password strong?
Length (16 characters or more), uniqueness (used on one service only), randomness (not a real word with substitutions), and absence from breach corpora. NCSC pushes length and uniqueness over complexity rules.
Should I rotate my passwords every 90 days?
Not unless there is a specific reason. NCSC dropped the periodic-rotation recommendation in 2017 and reaffirmed in 2024. Rotate when there is a breach indicator, when a privileged account changes hands, or when MFA is added so the new credential can be set fresh.
How does this fit with Cyber Essentials?
Cyber Essentials requires a password policy that protects against credential-based attacks. The current scheme accepts MFA on key accounts plus length-based password requirements. The checker validates that your candidate passwords clear the bar.
Beyond the free check
Cyber Essentials Certification
Get assessed and certified against the password and account-management controls.
Learn morePassing Cyber Essentials
What assessors check on password and authentication controls during a CE assessment.
Learn more