Password Strength Checker
What Is Password Entropy?
Password entropy is a mathematical measure of a password's randomness and unpredictability, expressed in bits. The formula is: entropy = length × log₂(charset_size). Charset size depends on which character types you use: lowercase only = 26, add uppercase = 52, add numbers = 62, add symbols = up to 94.
Industry consensus: 60 bits of entropy provides basic security; 80+ bits resists large-scale brute-force attacks; 100+ bits is practically uncrackable for the foreseeable future.
How Is Crack Time Estimated?
This tool uses an "offline fast-hash attack" as the benchmark scenario — assuming an attacker has obtained a hashed database and uses a modern GPU cluster capable of 100 billion guesses per second (achievable with weak hash algorithms like MD5/NTLM). This is a worst-case estimate representing the theoretically fastest attack speed.
Real-world online login attacks are much slower due to rate limiting, account lockouts, and CAPTCHAs. For databases protected by strong hash algorithms like bcrypt or Argon2, the guess rate may be only tens to hundreds per second.
How to Create a Truly Secure Password
NIST SP 800-63B and current security research consensus: ① Prioritize length — at least 12 characters, 16+ for important accounts; ② Use all character types — combining uppercase, lowercase, numbers, and symbols significantly expands the search space; ③ Avoid personal information — names, birthdays, common words are all in dictionary attack databases; ④ Unique password per account — prevents credential stuffing from cascading; ⑤ Use a password manager — the only practical way to maintain many unique strong passwords.
💬 Comments
Frequently Asked Questions
How is password strength calculated? +
Password strength is measured by entropy: bits = length × log₂(charset_size). The charset size grows with each character type you include: lowercase adds 26, uppercase adds 26, numbers add 10, and symbols add 32. Higher entropy means a stronger password. Generally 60+ bits is decent; 80+ bits is very secure.
How is the estimated crack time calculated? +
This tool estimates based on an offline fast-hash attack scenario, assuming an attacker can try 100 billion (10¹¹) guesses per second. The formula is: crack_seconds = 2^entropy / 10¹¹. This represents a worst-case scenario — real-world online login attacks are much harder due to rate limiting.
Why should I use all four character types? +
Using all four character types (uppercase, lowercase, numbers, symbols) expands the charset to 94, significantly increasing per-character entropy. Lowercase-only (26 chars) gives ~4.7 bits per character; the full charset (94 chars) gives ~6.6 bits per character — about 40% stronger for the same length.
Which matters more: password length or complexity? +
Both matter, but length often has more impact. Entropy grows linearly with length, while expanding the charset has diminishing returns. Best strategy: prioritize length (16+) while using all character types. Even an all-lowercase 30-character password is far stronger than an 8-character password with all character types.
Does this tool store or upload the password I enter? +
No. All calculations run entirely in your browser. No data is sent to any server, no logs are kept, and everything disappears when you close the page. You can use this tool offline and get identical results.