What entropy is considered strong?

Security guidelines generally consider 60–80 bits as strong for everyday use, and 100+ bits as very strong or unbreakable with current technology. NIST recommends at least 80 bits for high-security applications. 40–60 bits is moderate, and below 40 bits is weak for anything requiring real security.

How is the character pool size determined?

The character pool N is determined by which categories of characters appear in your password: lowercase letters add 26, uppercase letters add 26, digits add 10, common symbols add 32. If your password uses all four categories, N = 94. This is a theoretical maximum; actual entropy may be lower if the password follows patterns.

How is crack time estimated?

Crack time is estimated assuming an attacker trying all possible combinations (brute force) at a given speed. This tool uses three scenarios: 1 billion guesses/second (fast GPU), 100 billion/second (dedicated cluster), and 1 trillion/second (nation-state). The total combinations is 2^H (or N^L), divided by the attempts per second.

Does this tool send my password anywhere?

No. This tool runs 100% in your browser. Your password is never sent to any server, logged, or stored anywhere. All calculations happen locally using JavaScript.

Password Entropy Calculator

Calculate Shannon entropy H = L × log₂(N). See strength, character pool, and crack time estimates.

Password

a–z (26) A–Z (26) 0–9 (10) Symbols (32)

Estimated Crack Times (Brute Force)

Attack Speed	Scenario	Estimated Time

Entropy (bits)	Rating	Example
< 28	Very Weak	4-digit PIN (13.3 bits)
28–35	Weak	6 lowercase letters (28.2 bits)
36–59	Fair	8 lowercase letters (37.6 bits)
60–79	Strong	10 mixed chars (65.5 bits)
80–99	Very Strong	14 mixed chars (91.7 bits)
100+	Excellent	20 chars mixed (131 bits)

Character Set	Pool Size (N)	Log₂(N)
Digits only (0–9)	10	3.32
Lowercase (a–z)	26	4.70
Lower + Upper	52	5.70
Lower + Upper + Digits	62	5.95
All printable ASCII	94	6.55

Type a password above to analyze its entropy.

Understanding Password Entropy

Password entropy is the measure of unpredictability in a password. It is calculated using Shannon's information entropy formula: H = L × log₂(N), where H is entropy in bits, L is the password length, and N is the size of the character pool (the number of distinct characters that could appear at each position).

A higher entropy value means a password is harder to guess. Each additional bit of entropy doubles the number of possible combinations an attacker must try in a brute-force attack. A password with 40 bits of entropy has about 1 trillion (2^40) possible combinations. One with 80 bits has about 1.2 × 10^24 — a trillion times more than 40-bit.

Character Pool Sizes

The character pool N is determined by which types of characters your password includes. Using only lowercase letters gives N = 26. Adding uppercase doubles to 52. Adding digits brings it to 62. Including symbols (!, @, #, etc.) brings the full printable ASCII set to 94. Each category you add increases N and therefore increases entropy.

Length vs. Complexity

A common debate in password security is whether length or complexity matters more. The math shows that length has a multiplicative effect on entropy (each character adds log₂(N) bits) while expanding the character pool only adds bits once. A 16-character lowercase password has H = 16 × 4.7 = 75.2 bits — stronger than an 8-character fully mixed-case password (H = 8 × 6.55 = 52.4 bits). This is why security experts increasingly recommend long passphrases over short complex passwords.

Crack Time Estimates

The crack time estimate assumes a brute-force attack testing all possible combinations. Modern password cracking hardware can test billions or even trillions of hash combinations per second for common hash algorithms like MD5. However, properly secured passwords use slow algorithms like bcrypt, Argon2, or scrypt, which reduce cracking speed to thousands or fewer attempts per second. The estimates in this tool use MD5-speed assumptions for the worst case.

Entropy vs. Real-World Strength

Entropy based on character pool and length is a theoretical maximum. Real-world password strength also depends on patterns. A password like "Password1!" has high theoretical entropy but is trivially cracked by dictionary attacks with rules. True entropy requires genuine randomness at each character position. Consider using a password manager to generate and store truly random passwords rather than choosing them yourself.

Frequently Asked Questions

Entropy H = L × log₂(N) measures password unpredictability. L is the length, N is the character pool size. Higher entropy means more possible combinations and harder to crack.

60–80 bits is strong for everyday use. 80–100 bits is very strong. 100+ bits is effectively unbreakable with current technology. Below 40 bits is weak.

Lowercase adds 26, uppercase adds 26, digits add 10, common symbols add 32. Using all four categories gives N = 94.

Crack time = 2^H / (guesses per second). Three scenarios are shown: 1B/s (fast GPU), 100B/s (cluster), and 1T/s (nation-state level).

No. Everything runs 100% in your browser. Your password is never sent to any server, logged, or stored.

Password Entropy Calculator

Estimated Crack Times (Brute Force)

Entropy Reference Guide

Character Pool Sizes

Understanding Password Entropy

Character Pool Sizes

Length vs. Complexity

Crack Time Estimates

Entropy vs. Real-World Strength

Frequently Asked Questions

Related Tools