Test password strength, generate secure passwords, and create cryptographic hashes. All tools run entirely in your browser. No data is collected or transmitted.
Test how strong your password is in real time. Nothing is transmitted. Analysis happens entirely in your browser.
Generate a strong, random password with your preferred settings.
Generate MD5, SHA-1, and SHA-256 hashes from any text input.
How today's leading security standards approach password requirements. Modern guidance favors length and breach screening over forced complexity and routine expiry.
| Requirement | NIST SP 800-63B | ISO/IEC 27001 | OWASP |
|---|---|---|---|
| Minimum length | At least 8 characters; verifiers must accept at least 64 | Risk-based; policy must require an adequate minimum length | At least 8 (12+ recommended); support at least 64 |
| Composition rules | Must not force character-type mixes | Require sufficient complexity for the assessed risk | No mandated composition; allow all characters, including spaces |
| Periodic expiry | Must not force routine changes; change only on compromise | Change at first use and on suspected compromise (policy-driven) | No arbitrary rotation; rotate only on compromise |
| Breach and dictionary screening | Must screen against compromised, dictionary, sequential, and context-specific values | Prevent reuse; enforce password quality | Reject known-breached passwords (for example, Have I Been Pwned) |
| Failed-attempt handling | Must throttle or rate-limit repeated failed attempts | Limit, log, and alert on failed logon attempts | Rate-limit and cap consecutive failed attempts |
| Multi-factor authentication | Recommended; restricts SMS one-time codes | Recommended for higher-risk access | Strongly recommended, especially for sensitive functions |
| Storage | Salt and hash with a strong one-way function; optional keyed hash | Store and transmit authentication data in protected form | Use Argon2, bcrypt, scrypt, or PBKDF2 with a unique salt |
| Password managers and paste | Must allow pasting; should offer show-password | Permits password management tools | Allow paste, managers, and a show-password toggle |
| Hints and security questions | Must not use hints or knowledge-based questions | Protect recovery; avoid insecure mechanisms | Avoid security questions; use secure recovery flows |
Summary of current published guidance (NIST SP 800-63B, ISO/IEC 27001:2022 with ISO/IEC 27002 controls 5.17 and 8.5, and OWASP ASVS / Authentication Cheat Sheet). Provided for general reference, not as legal or compliance advice.