🔐 Password Entropy Calculator
See how many bits of entropy a password holds from its length and character sets, and how long an offline attacker would need to crack it — from a rate-limited login to a full cracking farm.
🔐 Password strength
Entropy is the theoretical maximum, assuming every character is chosen at random. Real passwords built from words, names, or dates carry far less — so use a password manager to generate genuinely random strings. This is an educational estimate, not a security guarantee; never enter a real password anywhere you don't trust.
Length is the strongest lever
Because entropy is length multiplied by log₂ of the character-set size, adding characters raises strength faster than adding character types. Widening the alphabet helps, but doubling the length can add far more bits than sprinkling in a symbol or two. That is why a long, random passphrase outperforms a short, gnarly string.
The catch is the word “random”. These figures assume every character is picked independently at random. Human-chosen passwords lean on words, dates, and patterns that attackers try first, so their real entropy is a fraction of the theoretical maximum. Let a password manager generate and store long random secrets, and turn on multi-factor authentication wherever you can.
❓ Frequently Asked Questions
What is password entropy?
Entropy measures how unpredictable a password is, in bits. For a password of length L drawn at random from a character set of size C, the entropy is L × log₂(C). Each extra bit doubles the number of guesses an attacker must make, so more bits means exponentially more security.
How many bits of entropy is 'strong'?
As a rough guide: under 28 bits is very weak, 36–59 is fair, 60–127 is strong, and 128+ is very strong. A 12-character password mixing upper, lower, digits, and symbols lands around 79 bits — strong against offline attacks. Aim for 60+ bits for anything that matters.
How is the crack time worked out?
It divides the total number of possible passwords (character-set size to the power of length) by two — an attacker finds it halfway through on average — then by the guessing speed you select. Speeds range from a rate-limited online login to a trillion-guess-per-second offline cracking farm.
Does a longer password beat a more complex one?
Usually, yes. Length adds entropy faster than complexity because it's an exponent. A long passphrase of random words can be both stronger and easier to remember than a short string of symbols. The best of both is a long, randomly generated password from a password manager.
Is my real password safe to type here?
You never type a password here — you set its length and character sets. Everything runs in your browser and nothing is sent anywhere. As a rule, never paste a real password into any website's strength checker.