Password Entropy Calculator

Frequently Asked Questions

How is password entropy calculated?

Entropy in bits = length × log₂(character-pool size). Lowercase only is a pool of 26; adding uppercase, digits, and symbols grows it to ~95. More length and a bigger pool both raise entropy.

How many bits is "strong"?

Rough guide: under 28 very weak, 36–59 reasonable, 60–127 strong, 128+ very strong. For accounts that may face offline cracking, aim for 80+ bits, ideally with a passphrase.

How is crack time estimated?

Guesses needed ≈ 2^entropy ÷ 2, divided by the attacker's guess rate. Offline GPU attacks can exceed 10¹⁰/s; online attacks are far slower. The tool shows both scenarios.

Should I type my real password here?

No. This estimates strength from length and character types only - never enter a real password into any website. Use a manager-generated passphrase instead.

Provided by AllCalculators.io
Free online calculators for everyday. No registration required.

Estimates for informational purposes only.

Important Disclaimer: Estimates for informational purposes only.

This calculator provides estimates for informational purposes only. Results are based on assumptions and may not reflect actual outcomes. Consult qualified professionals in relevant fields before making important decisions based on these results.

JavaScript is required to use the interactive calculator above. The questions and answers below remain readable without JavaScript.

How This Calculator Works

Password strength is measured in bits of entropy, the base-2 logarithm of how many guesses an attacker must try. The formula is E = L × log₂(R), where L is the password length and R is the size of the character pool it draws from. A 12-character password using lowercase + uppercase + digits draws from a pool of 62, so each character adds log₂(62) ≈ 5.95 bits → about 71 bits total. Crack time assumes an attacker tries half the keyspace on average: (2^E ÷ 2) ÷ guesses-per-second. We show both an offline rate (a fast GPU rig, ~10¹⁰/s) and a throttled online rate (~10³/s).

Worked Example

Take a 16-character password using lowercase, uppercase, digits and symbols. The pool is 26 + 26 + 10 + 32 = 94. Entropy = 16 × log₂(94) ≈ 16 × 6.55 = 104.8 bits. The keyspace is 2^104.8 ≈ 3.1 × 10³¹ combinations. At 10¹⁰ guesses per second an attacker averages 1.5 × 10²¹ seconds - far longer than the age of the universe. Drop to 8 characters and entropy falls to ~52 bits, cracked offline in hours. Length matters more than complexity: every added character multiplies the keyspace by the full pool size.

Real-World Use

Use this to compare password policies, not your actual secrets. A NIST-aligned rule of thumb: aim for ≥60 bits for ordinary accounts and ≥80 bits for high-value ones (financial, admin, recovery email). A four-word passphrase from a 7,776-word list (Diceware) yields ~51 bits per four words and is far easier to remember than a random symbol soup of equal strength. For anything that matters, a password manager generating 20+ random characters per site removes the human bottleneck entirely - entropy is wasted if the same password is reused.

Common Mistakes

Counting predictable substitutions: "P@ssw0rd" has the same real entropy as "password" - attackers' wordlists already apply leetspeak rules.

Trusting the meter on a dictionary word: the math here assumes random characters. A real word from a 200,000-word dictionary is ~18 bits no matter how long it looks.

Ignoring offline vs online: a breached password database lets attackers guess at hardware speed (10¹⁰+/s), not the slow rate a login form enforces.

Adding one symbol and feeling safe: a single appended "!" adds under one bit; another four random characters adds dozens.

Limitations & Privacy

Never type a real password into any web tool, including this one. This calculator works purely from composition (length and which character classes you select) and never sees or transmits a secret - all math runs in your browser. It models a theoretically random password; human-chosen passwords contain patterns (names, dates, keyboard walks) that real cracking tools exploit, so treat the result as a generous upper bound. It also cannot account for credential stuffing, phishing, or breaches - which is why unique passwords plus multi-factor authentication beat raw entropy alone.

Password Entropy Calculator

Frequently Asked Questions

Related Networking & IT Calculators