Password Entropy Calculator - Analyze Password Strength
Calculate password entropy in bits, assess strength rating, and estimate brute-force crack time based on character set composition and password length.
Enter a password to automatically detect its character classes, or manually specify the character pool size and length. The entropy score reveals how resistant the password is to brute-force attacks.
Password Entropy Calculator - Analyze Password Strength
Calculate password entropy in bits, assess strength rating, and estimate brute-force crack time based on character set composition and password length.
About the password entropy calculator
Password entropy is a measure of how unpredictable a password is, expressed in bits. The higher the entropy, the more guesses an attacker needs to crack the password by brute force. The formula is straightforward: entropy H = L × log₂(N), where L is the length of the password and N is the size of the character pool from which each character is drawn.
The character pool size depends on which character classes are used. Lowercase letters (a–z) contribute 26 characters. Uppercase letters (A–Z) add another 26. Decimal digits (0–9) contribute 10. Standard keyboard symbols such as !, @, #, $, %, ^, &, *, (, ), and similar characters contribute approximately 32 characters. A password that uses all four classes has a pool of roughly 94 characters — this gives the maximum entropy per character.
As a practical benchmark, a pool of 94 characters with a length of 12 characters yields approximately 78.7 bits of entropy. Security professionals generally consider 60 bits as the minimum for a strong password and 80 bits as very strong against state-level adversaries. The NIST Digital Identity Guidelines (SP 800-63B) moved away from complexity rules in favour of length, and the entropy calculation shows why: adding one character to a 94-character-pool password is worth more than switching a letter to a symbol.
Crack time estimates assume a modern GPU-based attack at approximately 10 billion (10^10) guesses per second, which is realistic for simple hash functions such as MD5. For slower, memory-hard algorithms such as bcrypt, Argon2, or scrypt, the effective guess rate drops to millions or even thousands per second, making the crack time estimates extremely conservative.
Entropy calculations assume each character is drawn independently and uniformly at random. Real passwords chosen by humans often violate this assumption — dictionary words, keyboard patterns, and predictable substitutions all reduce effective entropy far below the theoretical maximum. The calculated entropy is therefore an upper bound for user-chosen passwords and an accurate figure only for cryptographically random passwords generated by a password manager.
Password entropy examples
Three passwords of increasing complexity showing how entropy and crack time scale with length and character diversity.
| Password Profile | Entropy | Strength / Crack Time |
|---|---|---|
| 8 chars, digits only (pool = 10) | 26.6 bits | Very Weak. A PIN-style password of 8 digits has fewer than 100 million combinations — crackable in under a second by any modern computer. |
| 10 chars, lowercase only (pool = 26) | 47.0 bits | Reasonable. A 10-letter lowercase password has about 141 trillion combinations. At 10 billion guesses per second this takes roughly 4 hours to exhaust. |
| 14 chars, mixed case + digits + symbols (pool = 94) | 91.8 bits | Very Strong. Over 10²⁷ combinations. Even at 10¹⁰ guesses per second, exhaustive search would take longer than the age of the universe. |
| 16 chars, mixed case + digits (pool = 62) | 95.3 bits | Very Strong. Removing symbols but adding two extra characters still achieves over 95 bits of entropy — demonstrating that length often matters more than complexity. |
How to use the password entropy calculator
- Type or paste your password into the Password field. The calculator auto-detects which character classes are present and sets the pool size accordingly.
- Switch to Manual mode if you prefer to specify the character pool size and password length directly without entering the actual password.
- Click Calculate to see the entropy in bits, the strength rating, the detected character classes, and the estimated brute-force crack time.
- To improve a weak password, try adding more character classes or increasing the length — the entropy display updates so you can see the impact immediately.
- Click Reset to clear all inputs and start a new analysis.
Password entropy calculator FAQ
What is a good entropy value for a password?
Security practitioners typically treat 60 bits as a baseline for online accounts and 80 bits or more as strong. NIST SP 800-63B recommends passwords of at least 8 characters but emphasises length over complexity. A 12-character password using mixed case, digits, and symbols achieves about 78 bits — well into the strong range for most purposes.
Does entropy guarantee password security?
Entropy measures theoretical unpredictability assuming random character selection. Human-chosen passwords often score far below the theoretical maximum because people use dictionary words, names, dates, and predictable patterns. A password manager that generates truly random passwords achieves the full entropy shown by this calculator; a human-chosen password of the same length likely has much lower effective entropy.
Why do symbols matter so much for entropy?
Adding a symbol class expands the pool from about 62 characters (mixed case + digits) to about 94 characters. Each character then carries log₂(94) ≈ 6.55 bits instead of log₂(62) ≈ 5.95 bits — a gain of 0.6 bits per character. Over a 12-character password that is about 7 extra bits, roughly equivalent to one additional character. Length and character class both matter.
How is the crack time estimated?
The crack time assumes an attacker performs an exhaustive brute-force search at 10 billion (10^10) guesses per second, which reflects current GPU capability against fast hash functions like MD5 or SHA-1. Against slow hashes such as bcrypt (cost 12) or Argon2, the effective rate drops to roughly 10,000–100,000 per second, making the displayed crack times very conservative lower bounds.
Should I include the actual password in this calculator?
All entropy calculations run entirely in your browser — no data is sent to a server. However, for maximum caution, you can use the Manual mode to enter just the pool size and length without revealing the password itself. The entropy result is identical either way because entropy depends only on length and pool size.
What is the difference between entropy and password strength ratings?
Entropy is a precise mathematical quantity measured in bits. Strength ratings such as Very Weak, Weak, Reasonable, Strong, and Very Strong are qualitative labels that map entropy ranges to human-readable verdicts. The boundaries used here are: Very Weak below 28 bits, Weak 28–35 bits, Reasonable 36–59 bits, Strong 60–127 bits, and Very Strong 128 bits or above.