Password Strength Tester (Entropy Bits)

Estimate password entropy in bits and the time an offline brute-force attacker would need at common cracking rates. Pure client-side โ€” your password is never sent anywhere.

Inputs

Type or paste the password. Computation is local-only โ€” nothing is uploaded.

NIST SP 800-63B treats 10^10/s as the modern offline baseline. Bcrypt/scrypt/Argon2 hashes drop that by 4-6 orders of magnitude.

Result

Strength: Weak โ€” guessable offline in days
59.1 bits of entropy
Estimated crack time at 1e+10 guesses/sec: 364.7 days.
  • Length9 characters
  • Character pool95 candidate chars (lower + upper + digit + symbol)
  • Theoretical search space2^59.1 โ‰ˆ 6.30e+17
  • Mean crack time364.7 days
  • Worst-case (full space)2.0 years
Source: NIST SP 800-63B Digital Identity Guidelines (Memorized Secret Verifiers) โ€” ยง5.1.1.
Note โ€” Entropy = logโ‚‚(pool^length) is a CEILING โ€” it assumes uniformly random characters. Human-chosen passwords are far less random; real-world crackers use dictionaries + rules. Treat this as an upper bound, not a guarantee.

Step-by-step

  1. Detect character classes present โ†’ pool size = 95.
  2. Entropy bits = length ร— logโ‚‚(pool) = 9 ร— 6.570 = 59.1 bits.
  3. Mean crack time = (search-space / 2) / attacker-rate.

How to use this calculator

  • Type or paste the password into the input.
  • Choose the attacker rate โ€” 10 G/s is the realistic modern baseline; pick higher for nation-state threat models.
  • Read the entropy bits and the mean / worst-case crack-time. Flags below the result indicate why the number may be over-stated.
  • Aim for โ‰ฅ 80 bits for accounts that matter; โ‰ฅ 128 for master passwords or encryption keys.

About this calculator

A passwordโ€™s strength is best expressed as its entropy in bits โ€” logโ‚‚ of the number of equally-likely passwords an attacker has to try. For a random 12-character string mixing upper, lower, digit, and symbol, that is about 78 bits โ€” strong enough to resist a single GPU rig for centuries on a non-cached hash. This tester computes the theoretical entropy from password length and the character classes it contains, then converts to mean crack-time at four common attacker speeds: rate-limited online, slow bcrypt offline, modern GPU, and state-actor cluster. It also flags weaknesses that ruin the entropy estimate: dictionary words, short length, and use of only one character class.

How it works โ€” the formula

entropy_bits = length ยท logโ‚‚(pool_size) mean_crack_time = (2^entropy_bits / 2) / attacker_rate

For a uniformly random password from a pool of N characters, the number of equally-likely possibilities is N^length, so logโ‚‚ gives the entropy in bits. Mean-case search costs half that. Real-world passwords are far less random; entropy bits are an upper bound on resistance to brute force, not on resistance to dictionary attacks.

Sources: NIST SP 800-63B Digital Identity Guidelines ยท Shannon C (1948) โ€” A Mathematical Theory of Communication (entropy definition) ยท EFF Diceware passphrase generator (security analysis)

Worked examples

Example 1
"password" (lower-only, 8)
Inputs:
pwd=password
Output:
~37.6 bits but dictionary-flagged โ†’ minutes
Example 2
12 random mixed-case + digit + sym
Inputs:
pwd=Tr0u4!H#9Vk2
Output:
~78 bits โ†’ ~years on a GPU rig
Example 3
20-char Diceware passphrase
Inputs:
pwd=correct horse battery staple
Output:
~92 bits โ†’ centuries on a GPU rig (but only ~52 bits if attacker uses a word-list)

Limitations

  • Entropy โ‰  real security: dictionary + rule-based crackers find "high-entropy looking" passwords in seconds when they follow common patterns.
  • No breach-list check โ€” use haveibeenpwned.com/Passwords for that.
  • Attacker-rate selection is a coarse model โ€” real cracking speed depends on the specific hash function and hardware.

Educational estimate only โ€” for compliance use a tool that also checks against breach databases and known dictionaries.

Frequently asked

Entropy bits assume every character was chosen uniformly at random from the available pool. Humans almost never do that โ€” they pick common words, predictable substitutions ("P@ssw0rd"), and keyboard runs. Real-world crackers use dictionary + rule sets that exploit those patterns, recovering many "high-entropy looking" passwords in seconds.

Related calculators

Percentage Math Calculator
Calculate what X% of a value is, find what percentage one number is of another, or compute the percentage change between two numbers.
Hex / Binary / Octal / Decimal Converter
Convert numbers between hexadecimal, binary, octal, and decimal. Shows the bit pattern grouped by nibble + the twoโ€™s-complement representation for negative values.
Tip Split Calculator
Compute tip and split a restaurant bill evenly among diners.
Fuel vs Electric Car Cost Comparison
Annual fuel cost (gas car) vs annual electricity cost (EV) for the same mileage.
EV Charging Cost Calculator
Cost per session: kWh delivered ร— $/kWh, accounting for charger efficiency.
Solar Panel Payback Period
System cost / annual savings = years to break even on a residential solar install.

More tools you might like

Hex / Binary / Octal / Decimal Converter
Calc
Percentage Math Calculator
Calc
Percentage Calculator
Finance
Random Password Generator
Calc
Video File Size Calculator
Calc
Image File Size Estimator
Calc