Technology
Password Entropy Calculator
Measure the strength of any password by calculating its entropy in bits, strength rating, and estimated offline crack time — all privately in your browser.
Password Entropy Calculator
🔒 Your password never leaves your device — everything is calculated locally.
Method
How this calculator works
entropyBits = passwordLength × log2(poolSize), where poolSize is the sum of the character sets used (26 lowercase + 26 uppercase + 10 digits + 32 symbols).
- Type or paste the password you want to evaluate into the input field.
- The tool detects which character sets you used — lowercase, uppercase, digits, and symbols — to determine the character pool size.
- It multiplies the password length by the base-2 logarithm of the pool size to produce the entropy in bits.
- Entropy is mapped to a strength label and used to estimate how long an offline attacker would take to crack the password.
Use cases
When to use it
- Auditing the strength of passwords before saving them to a password manager.
- Teaching users why long passphrases beat short, complex passwords.
- Setting minimum-entropy policies for application sign-up forms.
- Comparing candidate passwords side by side to pick the strongest option.
FAQ
Frequently asked questions
What is password entropy?
Password entropy is a measure of how unpredictable a password is, expressed in bits. Each additional bit doubles the number of guesses an attacker must make. It is calculated from the size of the character pool and the length of the password.
How many bits of entropy is a strong password?
As a rule of thumb, 60 bits or more is considered strong for most online accounts, while 128 bits or more is regarded as very strong and suitable for protecting highly sensitive data such as encryption keys.
Does length or complexity matter more?
Length usually wins. Because entropy grows linearly with length but only logarithmically with the character pool, adding more characters typically raises entropy faster than adding a few special symbols to a short password.
Is my password sent anywhere when I use this tool?
No. All calculations run entirely in your browser using JavaScript. Your password is never transmitted over the network, logged, or stored, so it is safe to test real passwords.
How is the crack time estimated?
We assume an offline attacker capable of 10 billion guesses per second, a realistic figure for modern GPU hardware against fast hashes. We then divide the total number of possible combinations by that rate and convert the result into human-readable time.