Password Entropy Calculator - Crack Time Estimator

Calculate the information-theoretic bit entropy of any password or API key. Detects character set pools automatically, shows the total number of possible combinations, and estimates crack time across five attack scenarios from rate-limited web logins to GPU cracking clusters.

Analysed locally — nothing is sent to any server

a-zA-Z0-9SymbolsPool: 95
Quick examples:
Entropy strengthStrong

Good for most accounts

Key Metrics

Entropy52.6 bits
Length8 characters
Charset pool95 characters
Combinations6.6 x 10^15

Time to Crack (Estimable)

Online (throttled)210,369 years

1000/s — rate-limited web logins

Online (no limit)210 years

10⁶/s — no rate limiting

Offline (bcrypt/scrypt)3 months

10⁹/s — modern cloud hashing

Offline (fast hash)2 hours

10¹²/s — fast hash, single GPU

GPU cracking rigInstant

10¹⁷/s — dedicated cracking cluster

100% client-side. Your password is never transmitted to any server. All entropy calculations run locally in your browser.

Password Entropy Calculator: Measure Bit Entropy and Estimate Crack Time

Password strength checkers that count uppercase, lowercase, digits, and symbols only tell part of the story. The real measure of password security is entropy — the number of bits of randomness that an attacker must guess through.

Our entropy calculator computes exact bit entropy from your password's character set and length, then estimates how long it would take to crack under five realistic attack scenarios, from rate-limited login forms to professional GPU cracking clusters.

Formula
Entropy (bits) = Length x log2(Charset Size) Combinations = Charset Size ^ Length Crack Time = Combinations / Guesses Per Second Charset sizes: Lowercase only (a-z): 26 + Uppercase (A-Z): 52 + Digits (0-9): 62 + Symbols: 95

Password entropy is calculated using information theory:

Attack Scenario Reference

Online throttled (10^3/s): Standard web login with account lockout. Rate-limited APIs, social media logins.
Online unlimited (10^6/s): APIs without rate limiting, or bypassed throttling.
Offline slow hash (10^9/s): bcrypt, scrypt, Argon2 - designed to be slow. Cloud GPU cluster.
Offline fast hash (10^12/s): MD5, SHA-1 - fast but insecure for passwords. Single high-end GPU.
GPU cracking rig (10^17/s): Dedicated cluster (Hashcat on 100+ GPUs). NIST maximum realistic threat.

Entropy Benchmarks

28 bits: 4-digit PIN - crackable in milliseconds
36 bits: 8-character lowercase - crackable offline in seconds
48 bits: 8-character mixed case + digits + symbols - Fair
60 bits: 10-character full charset - Strong
80 bits: 12-character full charset or 6-word passphrase - Very Strong
128 bits: Cryptographic key strength - used in AES-128 encryption

Practical Examples

Improving a weak password

  • 1.password1: 44 bits, Fair — crackable offline in days
  • 2.P@ssw0rd1: 55 bits, Fair — better but still common pattern
  • 3.Tr0ub4dor&3: 71 bits, Strong — complex and uncommon pattern

Passphrase vs random

  • 1.correcthorsebatterystaple: 116 bits, Extremely Strong
  • 2.K7#mP!qX: 52 bits, Fair — looks complex but shorter
  • 3.Verdict: Long passphrases often beat short complex passwords

Frequently Asked Questions

What is password entropy?

Password entropy is a measure of how unpredictable a password is, expressed in bits. Higher entropy means more possible combinations, which makes brute-force attacks take longer. Entropy is calculated as: bits = length x log2(charset size). A 60-bit entropy password is considered strong for most purposes.

How is crack time calculated?

Crack time is estimated by dividing the total number of possible combinations (charset^length) by the attacker's guessing rate per second. For example, if a password has 10 billion combinations and an attacker tries 1 billion per second, the maximum crack time is 10 seconds.

How much entropy does a password need?

For low-risk accounts: 40+ bits. For most online accounts: 60+ bits. For high-value accounts (email, banking): 80+ bits. For encryption keys: 128+ bits. Note that longer passphrases can achieve high entropy while remaining memorable.

Why does my long password show low entropy?

Entropy depends on both length AND character set size. A 20-character password using only lowercase letters has less entropy than a 12-character password using all character types. Also, predictable patterns (keyboard walks, common words) are not detected by entropy calculators - these have effectively lower entropy despite their length.

What is the charset pool?

The charset pool is the number of unique character types used: lowercase (26), uppercase (26), digits (10), symbols (~33). A password using all types has a pool of 95, giving 6.57 bits per character. Using only lowercase gives 26, or 4.7 bits per character.

Is this calculator accurate?

The entropy calculation is mathematically accurate for random passwords. However, crack time estimates assume random passwords - dictionary words, names, and common patterns can be cracked much faster than entropy alone suggests. Real-world password security also depends on hashing algorithm, salting, and rate limiting.

What is the difference between online and offline attacks?

Online attacks must interact with a live system that can throttle and lock accounts (typically 1000-1M guesses/second). Offline attacks occur when an attacker obtains a password hash dump and can run billions or trillions of guesses per second locally using GPUs.

Is my password sent to any server?

No. All entropy calculations run entirely in your browser using JavaScript. Your password never leaves your device. We do not log, store, or transmit any input.

Related Tools

View all utilities tools

Age Calculator

Calculate exact age and eligibility.

Work Hours Calculator

Track daily shift times.

Date Toolkit

Days between dates and countdowns.

Sleep Calculator

Optimize your sleep cycles.