// measure entropy bits and crack time of any password
Calculate password entropy in bits, estimate crack time, and analyze character set coverage. Free browser-based password strength checker.
🔒 Your password is never sent to any server — analysis is 100% local.
Enter a password to analyze
Entropy, crack time, and character set analysis will appear hereType or paste any password into the input field. It never leaves your browser.
Hit the Calculate button or press Enter to analyze entropy, character sets, and crack time.
Check entropy bits, crack time estimates, and follow the tips to improve your password.
Password entropy measures the unpredictability of a password in bits. The higher the entropy, the longer it takes to brute-force. This tool calculates entropy using the Shannon formula: E = L × log₂(N), where L is password length and N is the character pool size.
Password entropy is a measure of how unpredictable a password is, expressed in bits. It's calculated based on the number of possible characters used and the password length. Higher entropy means it's harder to guess or crack.
Entropy = Length × log₂(Pool Size). For example, an 8-character password using only lowercase letters (pool=26) has 8 × 4.7 ≈ 37.6 bits. Adding uppercase, digits, and symbols increases the pool, dramatically raising entropy.
Yes. All analysis happens entirely in your browser using JavaScript. Your password is never transmitted to any server, logged, or stored. You can verify this by checking the network tab in your browser's developer tools.
They're theoretical estimates based on pure brute-force guessing. Offline attacks assume 10 billion guesses/second (modern GPU). Real attackers may use dictionary attacks or known patterns, making weak but common passwords easier to crack than raw entropy suggests.
Generally: under 28 bits is very weak, 36–52 bits is weak to fair, 60+ bits is strong, and 80+ bits is very strong. For critical accounts, aim for at least 60 bits. A 12-character password mixing all character types reaches ~78 bits.
Adding one character to a password multiplies the search space by the pool size. Going from 8 to 12 characters adds 4 × log₂(N) bits — that's more impactful than just adding symbols. Long passphrases are often both strong and memorable.
Online attacks go through a live service (e.g., a login form) which can rate-limit guesses — typically 100 attempts/sec or fewer. Offline attacks happen when the attacker has stolen a hash file and can run billions of guesses per second on their own hardware.
No — this tool only measures mathematical entropy based on character set and length. It doesn't check against breach databases like HaveIBeenPwned. For that check, use a dedicated HIBP lookup tool while being mindful of privacy implications.
A password entropy calculator is a tool that measures the cryptographic strength of a password by quantifying its unpredictability in bits of entropy. Unlike simple "weak/medium/strong" meters, entropy gives you an objective, mathematical measure of how resistant a password is to brute-force attacks. This tool calculates entropy using the Shannon formula and provides real-world crack time estimates based on modern attack hardware.
💡 Looking for premium web development assets? MonsterONE offers unlimited downloads of templates, UI kits, and assets — worth checking out.
Entropy is calculated with a simple but powerful formula: E = L × log₂(N), where E is entropy in bits, L is the password length, and N is the size of the character pool. The character pool depends on which types of characters you use:
A password using all four sets has a pool of 94 characters. An 8-character password from this pool yields about 52 bits of entropy — considered fair. Extending that to 12 characters raises it to ~78 bits, which is strong by most standards.
Many websites enforce outdated "complexity rules" — requiring one uppercase, one digit, one symbol — but these rules can actually produce predictable patterns. "Password1!" technically meets most complexity requirements yet scores poorly on entropy because humans are predictable: capital at the front, symbol at the end, number in between.
True entropy comes from randomness and length. A randomly generated 16-character passphrase using only lowercase letters (~75 bits) is far stronger than a complex 8-character password (~52 bits) that follows predictable patterns. This is why password managers that generate long random strings — or random passphrase generators using Diceware — produce much stronger passwords than human-chosen ones.
This tool provides two crack time estimates based on different attack scenarios:
Both estimates assume pure brute-force. In practice, dictionary attacks and credential stuffing can crack common passwords far faster than their entropy suggests. "dragon", "sunshine", and "123456" would take fractions of a second to crack regardless of their theoretical entropy.
As a practical reference, here are common entropy thresholds and what they mean:
The most effective way to create strong passwords is to use a password manager to generate and store long random strings for every account. For master passwords or passphrases you need to remember, consider the Diceware method: rolling dice to select random words from a wordlist produces passphrases like "correct horse battery staple" — memorable yet with extremely high entropy.
Other best practices include: never reusing passwords across sites, enabling two-factor authentication wherever possible, and regularly auditing old accounts with a tool like this one to identify passwords that no longer meet modern security standards.
This password entropy calculator runs entirely in your browser. Your password is never transmitted to any server. All calculations are performed client-side using JavaScript. You can use browser developer tools to verify that no network requests are made when analyzing a password. The tool calculates character pool size by detecting which character classes are present, applies the Shannon entropy formula, and maps the result to theoretical crack times based on published benchmarks for modern attack hardware.