REPLOCK

🔐 Password Entropy Calculator

See how many bits of entropy a password holds from its length and character sets, and how long an offline attacker would need to crack it — from a rate-limited login to a full cracking farm.

Character sets in use

🔐 Password strength

Entropy
71.5 bits
Strength
Strong
Time to crack
5.1 thousand years
Character set size
62

Entropy is the theoretical maximum, assuming every character is chosen at random. Real passwords built from words, names, or dates carry far less — so use a password manager to generate genuinely random strings. This is an educational estimate, not a security guarantee; never enter a real password anywhere you don't trust.

Length is the strongest lever

Because entropy is length multiplied by log₂ of the character-set size, adding characters raises strength faster than adding character types. Widening the alphabet helps, but doubling the length can add far more bits than sprinkling in a symbol or two. That is why a long, random passphrase outperforms a short, gnarly string.

The catch is the word “random”. These figures assume every character is picked independently at random. Human-chosen passwords lean on words, dates, and patterns that attackers try first, so their real entropy is a fraction of the theoretical maximum. Let a password manager generate and store long random secrets, and turn on multi-factor authentication wherever you can.

❓ Frequently Asked Questions

What is password entropy?

Entropy measures how unpredictable a password is, in bits. For a password of length L drawn at random from a character set of size C, the entropy is L × log₂(C). Each extra bit doubles the number of guesses an attacker must make, so more bits means exponentially more security.

How many bits of entropy is 'strong'?

As a rough guide: under 28 bits is very weak, 36–59 is fair, 60–127 is strong, and 128+ is very strong. A 12-character password mixing upper, lower, digits, and symbols lands around 79 bits — strong against offline attacks. Aim for 60+ bits for anything that matters.

How is the crack time worked out?

It divides the total number of possible passwords (character-set size to the power of length) by two — an attacker finds it halfway through on average — then by the guessing speed you select. Speeds range from a rate-limited online login to a trillion-guess-per-second offline cracking farm.

Does a longer password beat a more complex one?

Usually, yes. Length adds entropy faster than complexity because it's an exponent. A long passphrase of random words can be both stronger and easier to remember than a short string of symbols. The best of both is a long, randomly generated password from a password manager.

Is my real password safe to type here?

You never type a password here — you set its length and character sets. Everything runs in your browser and nothing is sent anywhere. As a rule, never paste a real password into any website's strength checker.