Password Strength Calculator

Password Strength Calculator

How strong is your password, really? Gut feelings and green checkmarks don't tell the whole story. Our Password Strength Calculator goes deeper — it calculates your password's entropy in bits and estimates exactly how long it would take an attacker running 10 billion attempts per second to crack it through brute force. Whether you're a security professional, a developer, or just someone who wants to sleep better at night, this free tool gives you the hard numbers behind your password's security.

What Is Password Entropy?

Password entropy is a measure of how unpredictable — and therefore how difficult to guess — a password is. It's expressed in bits, and the higher the number, the stronger the password. Entropy is calculated based on two factors:

• Character set size (pool): The total number of possible characters your password draws from. Lowercase letters give you 26 options; add uppercase and you have 52; throw in digits and symbols and you can reach 95 or more.
• Password length: Every additional character multiplies the number of possible combinations exponentially.

The formula is straightforward: Entropy = L × log₂(N), where L is the password length and N is the size of the character pool. A password with 50 bits of entropy is considered weak by modern standards. Anything above 80 bits is generally considered strong, and 100+ bits puts you in excellent territory.

How the Brute-Force Time Estimate Works

Knowing entropy in bits is useful, but translating that into real-world crack time makes it tangible. Our calculator assumes an attacker can make 10 billion (10¹⁰) password guesses per second — a realistic benchmark for a well-funded adversary using modern GPU clusters or dedicated cracking hardware. The total number of possible passwords is 2 raised to the power of your entropy value. Dividing that by 10 billion gives you the estimated crack time in seconds, which we then convert into human-readable units: seconds, minutes, hours, days, years, or even millions of years.

For example, a password with 60 bits of entropy has roughly 1.15 × 10¹⁸ possible combinations. At 10 billion attempts per second, that's about 3.7 years to exhaust on average. Bump it up to 80 bits and you're looking at over 38 million years. These numbers make the importance of entropy immediately clear.

What Makes a Password Strong?

Building a genuinely strong password isn't complicated once you understand the math. Here's what actually moves the needle:

• Length is king: Every extra character dramatically increases the number of combinations. Going from 10 to 14 characters can increase your entropy by 40+ bits depending on your character set.
• Use all character types: Combine lowercase letters, uppercase letters, numbers, and special symbols (like ! @ # $ % ^ & *) to maximize your character pool.
• Avoid dictionary words: Entropy calculations assume random characters. Dictionary-based attacks can crack common words and phrases far faster than brute force, regardless of length.
• Don't use predictable patterns: Substitutions like P@ssw0rd are well-known to attackers and included in pattern-based attack dictionaries.
• Randomness matters: A truly random 12-character password beats a 20-character sentence made from predictable words when it comes to brute-force resistance.

Why 10 Billion Attempts Per Second?

We chose 10 billion attempts per second as the baseline because it reflects realistic, high-end offline attack speeds using modern hardware. Online attacks are much slower due to rate limiting and account lockouts, but offline attacks — where a stolen password hash is cracked locally — can reach these speeds with consumer-grade GPU rigs, and far beyond with cloud computing clusters. Benchmarking against this rate ensures you're planning for a serious threat model, not just casual attacks.

How to Use This Calculator

Using the Password Strength Calculator is simple and completely private — no data is sent to any server:

• Type or paste your password into the input field.
• The calculator instantly analyzes your character set and password length.
• You'll see your entropy score in bits, a strength rating (Weak, Fair, Good, Strong, Very Strong), and the estimated brute-force crack time at 10 billion attempts per second.
• Use the feedback to adjust your password until you reach a score you're comfortable with.

Because the calculation happens entirely in your browser, your password never leaves your device. Privacy-first by design.

Password Strength Benchmarks

Here's a quick reference for interpreting your entropy score:

• Under 40 bits: Very Weak — cracked in seconds to minutes
• 40–59 bits: Weak — cracked in hours to days
• 60–79 bits: Fair — cracked in months to a few years
• 80–99 bits: Strong — cracked in millions of years
• 100+ bits: Very Strong — effectively uncrackable with current technology

For most personal accounts, aim for at least 70–80 bits of entropy. For highly sensitive accounts — email, banking, password managers — target 90 bits or higher.

Frequently Asked Questions

Is my password stored or sent anywhere when I use this tool?

No. The Password Strength Calculator runs entirely in your browser using JavaScript. Your password never leaves your device and is never transmitted to our servers. You can even use it offline once the page has loaded.

Why does password length matter more than complexity?

Because of how exponential math works. Adding one more character to your password multiplies the total number of combinations by the size of your character pool. Adding a symbol type increases the pool by a fixed amount. Length compounds; complexity adds. Both help, but length has the bigger long-term impact on entropy.

Does a high entropy score mean my password is completely safe?

A high entropy score means your password is highly resistant to brute-force attacks. However, passwords can also be compromised through phishing, data breaches, keyloggers, or reuse across sites. Always combine a strong password with two-factor authentication (2FA) and avoid reusing passwords across services.

What's the difference between a brute-force attack and a dictionary attack?

A brute-force attack tries every possible character combination systematically. A dictionary attack uses lists of known words, common passwords, and patterns. Our calculator estimates brute-force resistance, but using recognizable words weakens your real-world security even if your entropy score looks good.

How often should I change my passwords?

Modern security guidance from organizations like NIST recommends changing passwords when you have reason to believe they've been compromised, rather than on a fixed schedule. Focus on using unique, high-entropy passwords for every account — ideally managed with a reputable password manager — rather than frequent rotation of weak passwords.