Test a password
Generate a passphrase instead
Diceware: random words from the EFF list, picked with your browser's secure random generator. Easy to remember, brutal to crack. Nothing is generated on our server.
What leaves your browser
For strength: nothing, the analysis runs entirely in your browser. For the breach check: your password is hashed with SHA-1 in your browser and only the first 5 characters of that hash are sent to our server, which forwards them to the Have I Been Pwned range API. The full hash and the password never leave your device; the matching happens locally. Generated passphrases never leave your browser. Verify in the source.
Do this instead of memorising passwords
Use a password manager
One strong master password, unique random passwords everywhere else. Bitwarden is free and open source; 1Password is a polished paid option.
Prefer passphrases for the ones you type
For your master password and device logins, a six-word passphrase beats a short complex string and is far easier to recall.
Turn on two-factor authentication
Even a breached password is far less useful to an attacker when a second factor is required. Use an authenticator app or a hardware key.
These are unpaid recommendations chosen on merit. If that ever changes, this line will say so.