Password Entropy & Crack Time Estimator
Type a password to see its strength in bits of entropy and realistic crack time estimates — for online guessing, offline bcrypt, and raw hash attacks. Patterns like keyboard walks and dictionary words are flagged with plain-English explanations. Nothing is sent anywhere.
Enter Password
Evaluated entirely in your browser. Nothing is sent to any server.
Strength Analysis
Estimated Crack Times
| Attack scenario | Time to crack |
|---|
Weaknesses Detected
Generate a Strong Password
Generate a random password and see its strength instantly.
Learn more: password entropy and real-world crack times
What password entropy is and why the entropy formula matters
Entropy measures how unpredictable a password is, expressed in bits. A password with 70 bits of entropy would take far longer to crack than one with 40 bits. The formula is log2(character pool) x length. If your character pool is 95 symbols (a-z, A-Z, 0-9, and common symbols), each character adds about 6.6 bits of entropy. A 12-character password using the full pool has about 79 bits. Using only lowercase adds only 4.7 bits per character, so a 16-character lowercase password has only 75 bits - less entropy for more length.
Why simple rules (uppercase, numbers, symbols) mislead you about real strength
Most password meters say "Strong" when you add a number and a symbol to a simple password. This is based on rules, not real crack speed. Modern cracking rigs use dictionary attacks with substitution rules (like replacing 'e' with 3, 'a' with @). These patterns are in every cracking dictionary. The entropy calculator detects specific weaknesses - dictionary words, keyboard walks, character repeats, simple substitutions - and explains why each one reduces real-world strength.
Crack times at different attack speeds - bcrypt, MD5, and online guessing
A password hashed with bcrypt takes ~100 microseconds to check on modern hardware, limiting you to ~10,000 guesses/second. A password hashed with MD5 can be checked in billionths of a second on a GPU, achieving 100+ billion guesses/second. Online guessing (like logging into Gmail) is rate-limited to ~1,000 attempts/second and locks the account after 5-10 failed attempts. The same 60-bit entropy password might take thousands of years to crack offline with bcrypt but only months with MD5. The calculator shows all three scenarios so you understand the real risk.
FAQ
How many bits of entropy do I need?
For most online accounts, 50-60 bits is acceptable because of rate limiting. For offline systems or critical passwords (like a password manager master password), aim for 70-100 bits. A random 16-character alphanumeric password has about 94 bits.
Is my password actually sent to a server for checking?
No. All calculations run in your browser using JavaScript. Your password never leaves your device. You can verify this by disconnecting from the internet - the calculator continues to work.
Why is a passphrase sometimes better than a random string?
A 4-word passphrase uses a much larger effective character pool (hundreds of thousands of words) compared to keyboard symbols. "correct-horse-battery-staple" has about 44 bits of entropy per word, totaling 176 bits for 4 words. A random 16-character password has about 94 bits. Passphrases are easier to remember and paradoxically stronger.