Free Security Tool
How Strong Is
Your Password?
Powered by zxcvbn — the same open-source strength estimator used by Dropbox, WordPress, and thousands of security-conscious apps. Get a real crack-time estimate against realistic attack scenarios, not a lazy length check. Your password never leaves your browser.
How to read the score
What zxcvbn is measuring.
Strength Score (0-4)
0 = trivially guessable in seconds. 2 = attacker with a wordlist gets it in hours. 3 = holds up to online guessing but not offline hashing. 4 = holds up to even an offline attack with GPU hardware for years.
Crack-Time Estimate
How long an attacker would need under four scenarios: online-throttled, online-unthrottled, offline-slow-hash, offline-fast-hash. Password sites should be online-throttled; a database dump moves attackers to offline-fast-hash where speed matters.
What Broke It
zxcvbn explains why. Common English word. Keyboard walk. Date. l33t substitution of a common password. Repeat. Sequential characters. Every weakness the estimator finds lowers the score and shortens the estimate.
Suggested Fix
Concrete advice you can apply: add another word, avoid dates, do not build off a common word with substitutions. Applied together, three tweaks usually take a password from score 1 to score 4.
Get monthly password hygiene checks
Save this result and get a monthly reminder.
Once a month we'll email you a short reminder to re-test the passwords you care about and check whether any of your accounts have appeared in a new breach. No spam, one-click unsubscribe.
Beyond Strong Passwords
Even a perfect password won't save you if the site loses your hash.
The realistic security ceiling for human-memorized passwords is exactly one strong password. Beyond that, you need a password manager, breach monitoring so you know the second a service leaks, and phishing protection that stops credential harvesters at the DNS level. CyberFence Complete covers the last two out of the box.
- ✓ Breach Monitor watches 3 email addresses against 15+ billion leaked credentials in real time
- ✓ Web Shield blocks phishing and credential-harvesting domains before you ever land on them
- ✓ VPN encrypts every login-in-flight, defeating public Wi-Fi credential theft
- ✓ Works with iCloud Keychain, Google Password Manager, 1Password, and Bitwarden
FAQ
Common questions about password strength.
What is a strong password?
A strong password is long, unique, and unpredictable. The single most important factor is length — every additional character multiplies the number of possible passwords an attacker has to try. Modern security guidance from NIST recommends passphrases of 12+ characters over shorter passwords stuffed with special characters. This tool uses zxcvbn, the open-source password strength estimator developed at Dropbox, which measures real-world guessability against dictionaries, common patterns, keyboard walks, dates, and 30,000+ known-breached passwords.
How does this tool measure password strength?
This tool uses zxcvbn, an open-source password strength estimator that goes far beyond the length/character-class rules most sites still use. zxcvbn scores passwords against dictionaries of common words, names, common passwords, l33t-speak substitutions, keyboard patterns like qwerty and asdfgh, dates, and repeats. It returns an estimated number of guesses an attacker would need — not just a length check. That is why "Password123!" gets a low score even though it meets typical complexity rules.
Is my password sent to CyberFence?
No. This tool runs 100% in your browser using the zxcvbn library loaded from your device. Your password is never transmitted to CyberFence, never logged, never stored, and never associated with any account. Close the tab and everything is gone. If you want to verify, open your browser DevTools Network tab while you type — you will see zero requests carrying your password.
What score should I be aiming for?
For any account you care about — email, banking, work — aim for zxcvbn score 4 (Strong). That corresponds to an estimated 10 billion+ guesses required to crack, which is beyond what a well-funded attacker can attempt against a properly-configured login system. Score 3 (Good) is acceptable for lower-stakes accounts. Anything at score 0-2 should be changed immediately.
How long should my password be?
Length beats complexity. A 16-character passphrase of random common words ("correct-horse-battery-staple") is stronger and easier to remember than an 8-character password with symbols ("P@ssw0rd!"). NIST SP 800-63B guidance dropped the old complexity rules years ago and now emphasizes length: 12 characters minimum, 16+ recommended for anything sensitive. This tool factors length into the score directly — you will see the crack estimate jump exponentially as you add characters.
Should I use a password manager?
Yes. The realistic security ceiling for human-memorized passwords is one strong password. Beyond that, unique strong passwords across dozens of accounts requires a password manager — either the OS-native one (iCloud Keychain, Google Password Manager, Windows Hello) or a dedicated service like 1Password or Bitwarden. Combined with breach monitoring (so you know when a service leaks) and a VPN (so login traffic is encrypted end-to-end), that closes the credential-theft attack surface almost entirely.
Does CyberFence store or generate passwords?
CyberFence does not store your third-party passwords. Your CyberFence account password itself is hashed with an Argon2id-family key-derivation function and per-user salt — even a full database compromise on our side does not yield usable credentials. If you want CyberFence to alert you when one of your accounts appears in a public breach, use Breach Monitor. If you want to prevent phishing attacks that harvest passwords in the first place, Web Shield blocks known malicious domains before you can hand over credentials.