🔐 密碼強度分析器
Password Strength Analyzer

即時分析密碼強度,估算破解時間,並提供具體改善建議
Analyze password strength in real-time — crack time estimates and actionable improvement tips. Runs entirely in your browser; your password is never sent to any server.

密碼分析在裝置上執行;洩露查詢僅傳送雜湊值前 5 碼(k-匿名),密碼本身不會離開裝置
Analysis runs in your browser. Breach check uses k-anonymity — only a 5-char hash prefix is sent, never your actual password.

{{ displayLabel }} 破解時間 / Crack time:{{ displayCrackTime }}
長度 / Length:{{ result.length }}
小寫字母 / Lowercase (a–z)
大寫字母 / Uppercase (A–Z)
數字 / Digits (0–9)
特殊符號 / Symbols (!@#…)
熵值 / Entropy ≈ {{ result.effectiveEntropy.toFixed(1) }} bits

偵測到問題 / Issues Found

  • {{ item }}

改善建議 / Suggestions

  • {{ item }}

優點 / Strengths

  • {{ item }}

 什麼是密碼強度分析器?
What Is the Password Strength Analyzer?

密碼強度分析器是一款免費的線上工具,能即時評估您的密碼強度並提供具體的改善建議。本工具採用資訊熵(information entropy)演算法,分析密碼的長度、字符組成與可預測規律,計算出有效熵值後判斷強度等級,同時估算在現代硬體下被暴力破解所需的時間。

The Password Strength Analyzer is a free online tool that evaluates your password's strength in real time and provides actionable improvement tips. It uses an information entropy algorithm to analyze password length, character composition, and predictable patterns — computing an effective entropy score, mapping it to a strength level, and estimating how long it would take to crack with modern hardware.

 如何使用?
How to Use?

  1. 在輸入框輸入或貼上您想測試的密碼,強度分析即時更新,無需按下任何按鈕
    Type or paste the password to test — analysis updates instantly as you type, no button press needed.
  2. 點擊輸入框右側的眼睛圖示,可切換顯示或隱藏密碼明文
    Click the eye icon on the right to toggle between showing and hiding the password.
  3. 查看強度條的顏色與寬度,以及下方的強度等級與破解時間估計
    Read the color-coded strength bar, the strength label, and the estimated crack time below it.
  4. 檢視組成分析區塊,確認長度、大小寫、數字、符號與熵值是否達標
    Check the composition panel to see whether length, uppercase, lowercase, digits, symbols, and entropy meet recommended thresholds.
  5. 閱讀問題清單與改善建議,逐步強化您的密碼
    Review the issues list and suggestions to iteratively strengthen your password.

 強度等級說明
Strength Levels Explained

本工具依密碼的有效熵值(effective entropy)將強度分為五個等級。熵值越高,代表密碼的不可預測性越強,越難被暴力破解或字典攻擊。有效熵值在計算理論熵值後,會依據偵測到的可預測規律(如常見密碼、鍵盤序列、重複字元)進行扣分。

Strength is divided into five levels based on effective entropy — theoretical entropy adjusted downward for detected patterns (common passwords, keyboard walks, repeated characters). Higher effective entropy means greater unpredictability and resistance to brute-force and dictionary attacks.

等級 / Level熵值範圍 / Entropy破解時間 / Crack Time說明 / Notes
非常弱 / Very Weak< 28 bits瞬間–幾秒
Instant–seconds
常見密碼、純數字、極短
Common passwords, digits-only, very short
弱 / Weak28–40 bits幾分鐘–幾小時
Minutes–hours
單一字符類型、含鍵盤序列
Single char type or keyboard patterns
中等 / Moderate40–60 bits幾天–幾個月
Days–months
混合字符但較短或有規律
Mixed types but short or patterned
強 / Strong60–80 bits幾年–幾十年
Years–decades
多種字符混合且長度足夠
Multiple types with adequate length
非常強 / Very Strong> 80 bits數百年以上
Centuries or more
長度 16+、多種字符、無規律
16+ chars, varied types, no patterns

※ 破解時間估計基於每秒 100 億次猜測(現代 GPU 離線攻擊速率)。實際時間因雜湊演算法與硬體而異。
Crack time assumes 10 billion guesses/sec (modern GPU offline attack). Actual time varies by hash algorithm and hardware.

 強密碼的要素
What Makes a Strong Password?

  • 長度是關鍵:每增加一個字元,破解所需時間呈指數成長。建議最低 12 字元,重要帳號建議 16 字元以上
    Length is the single most impactful factor — each character added exponentially multiplies crack time. Aim for 12+ characters; 16+ for sensitive accounts.
  • 混合字符類型:同時使用大寫、小寫、數字、特殊符號,可大幅擴大可能的字符空間,使暴力破解的成本呈指數上升
    Mix uppercase, lowercase, digits, and symbols to dramatically expand the search space, making brute-force exponentially more expensive.
  • 避免可預測的規律:鍵盤序列(qwerty、asdf)、重複字元(aaa、111)、常見單字、生日或年份等,都會大幅降低有效熵值
    Avoid keyboard walks (qwerty, asdf), repeated characters (aaa, 111), dictionary words, birthdays, or years — all drastically reduce effective entropy.
  • 每個帳號使用獨立密碼:即使密碼夠強,若多個網站共用同一組密碼,任一網站資料外洩即可能導致所有帳號受害
    Even a strong password becomes a liability if reused — a single breach anywhere exposes every account that shares it.
  • 使用密碼管理器:讓工具為每個網站產生並儲存獨立的隨機強密碼,您只需記住一組主密碼
    Use a password manager to generate and store unique random passwords for every site — you only need to remember one master password.

 更好記也更強:改用「密語」(Passphrase)
Use a Passphrase Instead

與其設一個又短又難記的複雜密碼(例如 Tr0ub@4),不如用「多個隨機單字」組成的長密語。因為長度對強度的影響是指數級的,一組 4–6 個隨機單字的密語,熵值往往不輸甚至勝過短而複雜的密碼,卻好記得多——這也是現代資安(如 NIST)鼓勵的方向。

  • 單字必須「隨機挑選」:不能用名言佳句、歌詞或通順的句子。連貫的句子容易被語料庫/字典攻擊猜中,等於白費長度。 The words must be randomly chosen — famous quotes, lyrics, or grammatical sentences are vulnerable to dictionary attacks.
  • 加點變化更保險:在單字之間插入數字或符號、大小寫交錯,可進一步提高熵值(例如 river7-Maple-cloud!Fox)。 Sprinkle in digits, symbols, and mixed case between words to push entropy higher.
  • 懶得想就交給工具:用密碼管理器或本站的隨機密碼產生器產生,再貼回上方分析器驗證強度。 Let a password manager or our generator create it, then paste it above to verify.

 常見問題
Frequently Asked Questions

我輸入的密碼會被記錄或傳送出去嗎?

不會。本工具完全在您的瀏覽器(客戶端)執行,密碼不會傳送至任何伺服器,也不會被記錄或儲存。您可以放心測試任何密碼。

No. This tool runs entirely in your browser (client-side). Your password is never transmitted to any server, logged, or stored. You can safely test any password.

什麼是密碼熵值(entropy)?

熵值(以 bits 為單位)衡量密碼的不可預測性,計算方式為:密碼長度 × log₂(字符集大小)。例如一個 12 字元、混合大小寫和數字的密碼,字符集約 62 個,理論熵值約 71 bits。本工具還會根據偵測到的規律(如鍵盤序列、常見密碼)進一步降低有效熵值,讓結果更貼近真實的破解難度。

Entropy (in bits) measures unpredictability: length × log₂(charset size). A 12-character mixed-case alphanumeric password has ~71 bits of theoretical entropy. This tool further reduces the effective entropy based on detected patterns — keyboard walks, common passwords, repeated characters — to better reflect real-world crackability.

破解時間估計準確嗎?

破解時間是基於每秒 100 億次猜測(模擬現代 GPU 進行離線暴力破解)的估算值,並非精確預測。實際破解時間受雜湊演算法(bcrypt 比 MD5 慢 1000 倍以上)、攻擊者資源、是否在已知字典中等因素影響。本工具的估算旨在提供直觀的相對強度概念,而非絕對保證。

Crack time is an estimate at 10 billion guesses/second (offline GPU brute-force) — not a guarantee. Actual time depends on the hash algorithm (bcrypt is 1000× slower than MD5), attacker resources, and whether the password appears in known breach databases. The estimate is intended to convey relative strength intuitively, not as an absolute prediction.

密碼含有中文字或 emoji 安全嗎?

在技術上,非 ASCII 字元(如中文字、emoji)可大幅擴大字符集,理論熵值更高。但實際可用性需考量:部分系統不支援特殊字元輸入、跨裝置輸入不便,且某些網站對密碼字元有限制。建議以充足長度搭配多種 ASCII 符號為主,再視需求加入非 ASCII 字元。

Non-ASCII characters (Chinese, emoji) theoretically increase entropy significantly. However, usability is a real concern: some systems reject them, cross-device input can be inconvenient, and some sites restrict character sets. A strong mix of length, ASCII letters, digits, and symbols is the most universally compatible approach.

我應該多久更換一次密碼?

現代資安建議(NIST SP 800-63B)指出,若密碼夠強且無資料外洩跡象,不需要定期強制更換。頻繁更換反而容易讓使用者設定更簡單、有規律的密碼。建議做法:使用強密碼 + 啟用雙重驗證(2FA)+ 訂閱資料外洩通知服務(如 HaveIBeenPwned)。

Current security guidance (NIST SP 800-63B) advises against mandatory periodic password rotation unless a breach is suspected — forced changes often lead to weaker, predictable passwords. Instead: use a strong unique password, enable two-factor authentication (2FA), and subscribe to breach notifications (e.g., HaveIBeenPwned).

為什麼有些長密碼仍然顯示為「弱」?

本工具不只看長度,還會偵測可預測的規律。若密碼包含常見密碼、鍵盤序列(如 qwerty1234)、或大量重複字元(如 aaaaaaaaaa),即使長度達到 12 字元,有效熵值也可能大幅下降,導致評級偏低。真正強的密碼需要同時具備足夠的長度與不可預測性。

Length alone does not guarantee strength. The tool also detects predictable patterns — if a password contains a common phrase, keyboard walk (e.g. qwerty1234), or heavy repetition (e.g. aaaaaaaaaa), effective entropy drops significantly even at 12+ characters. True strength requires both adequate length and genuine unpredictability.

 總結
Summary

無論是設定新密碼、審視現有密碼,或是想了解密碼安全的基本原理,密碼強度分析器都能在幾秒內提供即時、準確的評估。採用熵值演算法加上可預測規律扣分,搭配完全在瀏覽器端執行的隱私設計,是兼顧深度分析與安全隱私的最佳免費選擇。

Whether you are setting a new password, auditing an existing one, or simply learning what makes passwords strong, the Password Strength Analyzer delivers instant, accurate assessments in seconds. Entropy-based scoring with pattern penalties, combined with fully client-side execution, makes it the best free tool for in-depth password analysis without sacrificing your privacy.