// FREE IT TOOLS

Password Strength Checker

Test your password strength in real time. Check entropy, estimate crack time, and verify Microsoft 365 compliance — nothing leaves your browser.

// ENTER PASSWORD

Nothing is sent to the server — all processing happens in your browser.

examples:

Enter a password above to check its strength

Understanding Password Entropy

Password entropy measures the unpredictability of a password in bits. It is calculated as length × log₂(pool), where pool is the number of possible characters (lowercase = 26, uppercase = 26, digits = 10, symbols = 33).

A password using only lowercase letters has a pool of 26, so an 8-character password gives about 37.6 bits of entropy. Adding uppercase, digits, and symbols increases the pool to 95, giving the same 8-character password about 52.7 bits.

Length matters more than complexity. A 16-character lowercase password (75.2 bits) is far stronger than an 8-character mixed-charset password (52.7 bits). Consider using passphrases — four or more random words strung together — for both strength and memorability.

Microsoft 365 Password Policies

Microsoft 365 enforces specific password requirements for user accounts. Understanding these policies helps ensure compliance when setting up new accounts or resetting passwords.

Minimum length:Passwords must be at least 8 characters
No common passwords:Passwords found in common password lists are rejected
No repeating characters:Three or more consecutive identical characters (e.g. "aaa") are not allowed
MFA recommended:Microsoft strongly recommends enabling multi-factor authentication

The checker above tests against these specific policies. A password that passes the M365 badge will be accepted by Microsoft 365's password validation — but always combine it with multi-factor authentication for proper security.

Common Password Patterns to Avoid

Attackers use sophisticated dictionaries and pattern matching to crack passwords. Avoid these common weaknesses:

Dictionary words:Common English words (password, welcome, admin) appear in every cracking dictionary
Character substitution:Replacing "a" with "@", "e" with "3", or "o" with "0" is well-known to attackers
Repeating characters:Three or more identical characters in a row (aaa, 111) drastically reduce entropy
Sequential characters:Alphabetical (abc) or numeric (123, 321) sequences are trivial to guess
Keyboard walks:Patterns like qwerty, asdfgh, or zaq1xsw2 follow physical keyboard layouts

Frequently Asked Questions

How is password entropy calculated?: Entropy is calculated as length × log₂(pool), where pool is the sum of character class sizes present in the password. Lowercase = 26, uppercase = 26, digits = 10, symbols = 33. A password using all four classes has a pool of 95.
What makes a password M365-compliant?: Microsoft 365 requires passwords to be at least 8 characters long, not appear in the common password list, and not contain three or more consecutive identical characters. This checker tests all three rules.
How accurate is the crack time estimate?: The estimate assumes an attacker making 10 billion guesses per second using modern GPU hardware. Real-world crack times vary based on the attack method, hash algorithm, and available hardware. Treat the estimate as a rough comparison, not a guarantee.
Is my password sent to a server?: No. All processing happens entirely in your browser using JavaScript. Your password never leaves your device, is never transmitted over the network, and is not stored anywhere.
What is a good password entropy?: Aim for at least 60 bits of entropy for general accounts and 80+ bits for high-value accounts. A 12-character password mixing all character classes (about 78 bits) provides strong protection against brute-force attacks.

// CYBER SECURITY

Need help with security policy?

DMC IT Services provides cybersecurity assessments, Microsoft 365 hardening, MFA deployment, and security policy design for SMBs across London, Cambridge, Hertfordshire, and Bedfordshire.

Talk to an Engineer

← Back to all free tools

Understanding Password Entropy

Microsoft 365 Password Policies

Microsoft 365 enforces specific password requirements for user accounts. Understanding these policies helps ensure compliance when setting up new accounts or resetting passwords.

Minimum length:Passwords must be at least 8 characters
No common passwords:Passwords found in common password lists are rejected
No repeating characters:Three or more consecutive identical characters (e.g. "aaa") are not allowed
MFA recommended:Microsoft strongly recommends enabling multi-factor authentication

Common Password Patterns to Avoid

Attackers use sophisticated dictionaries and pattern matching to crack passwords. Avoid these common weaknesses:

Dictionary words:Common English words (password, welcome, admin) appear in every cracking dictionary
Character substitution:Replacing "a" with "@", "e" with "3", or "o" with "0" is well-known to attackers
Repeating characters:Three or more identical characters in a row (aaa, 111) drastically reduce entropy
Sequential characters:Alphabetical (abc) or numeric (123, 321) sequences are trivial to guess
Keyboard walks:Patterns like qwerty, asdfgh, or zaq1xsw2 follow physical keyboard layouts

Frequently Asked Questions

How is password entropy calculated?

Entropy is calculated as length × log₂(pool), where pool is the sum of character class sizes present in the password. Lowercase = 26, uppercase = 26, digits = 10, symbols = 33. A password using all four classes has a pool of 95.

What makes a password M365-compliant?

Microsoft 365 requires passwords to be at least 8 characters long, not appear in the common password list, and not contain three or more consecutive identical characters. This checker tests all three rules.

How accurate is the crack time estimate?

The estimate assumes an attacker making 10 billion guesses per second using modern GPU hardware. Real-world crack times vary based on the attack method, hash algorithm, and available hardware. Treat the estimate as a rough comparison, not a guarantee.

Is my password sent to a server?

No. All processing happens entirely in your browser using JavaScript. Your password never leaves your device, is never transmitted over the network, and is not stored anywhere.

What is a good password entropy?

Aim for at least 60 bits of entropy for general accounts and 80+ bits for high-value accounts. A 12-character password mixing all character classes (about 78 bits) provides strong protection against brute-force attacks.