Password Strength Checker

Entropy and Character Sets

Password entropy quantifies unpredictability in bits. The formula is E = L × log₂(N), where L is the password length and N is the size of the character pool. A password using only lowercase letters has a pool of 26; adding uppercase brings it to 52; adding digits gives 62; adding symbols from a standard keyboard expands the pool to roughly 95. Every additional character in the pool or in the length multiplies the number of possible combinations exponentially.

NIST SP 800-63B Guidance

The US National Institute of Standards and Technology recommends prioritising length over complexity. A passphrase of four random common words can exceed 50 bits of entropy and is far easier to remember than a shorter string of mixed characters. NIST SP 800-63B also advises against forced periodic rotation (changing passwords every 90 days), which studies show causes users to make predictable, weak changes like appending a number. Instead, passwords should only be changed when there is evidence of compromise.

How Passwords Are Stored

Storing passwords in plaintext is a critical security failure. Modern systems use adaptive hashing functions designed to be intentionally slow: bcrypt applies a cost factor that makes each hash take milliseconds; Argon2 (the winner of the 2015 Password Hashing Competition) uses configurable memory and parallelism requirements to resist GPU-based attacks. These are distinct from general-purpose hash functions like SHA-256, which is too fast for password storage.

Attack Methods and Time-to-Crack

Dictionary attacks try known words and common passwords first — they defeat weak passwords in seconds regardless of entropy calculations. Brute-force attacks try every possible combination. Rainbow tables are precomputed tables mapping common passwords to their hashes, countered by salting (adding a unique random value to each password before hashing). At 10 billion guesses per second (a modern GPU), a 40-bit entropy password falls in about 1.7 minutes; 60-bit takes over 3,600 years; 80-bit is beyond practical attack for any foreseeable hardware.

Worked Examples

Example 1 — "Password1" vs "correct-horse-battery-staple". The 9-char mixed-case-with-digit looks "complex" but lives in every cracking wordlist and falls instantly. The four-word passphrase has no upper-case or symbols yet contains ~44 bits of entropy against a word-list attack of 2 048 words (4 × log₂(2 048) = 44 bits) — centuries to crack.

Example 2 — Raising length beats raising pool. 8 lowercase chars = 26⁸ ≈ 2.1 × 10¹¹ combos (37.6 bits). 10 lowercase chars = 26¹⁰ ≈ 1.4 × 10¹⁴ (47 bits). That 2-character length jump multiplies effort by 676×; adding symbols to the 8-char only multiplies by roughly 4 000×. Two more letters is typically easier to remember than a special char.

Example 3 — A password of 20 random chars from 95 pool. Entropy = 20 × log₂(95) = 131 bits. At 10¹² guesses/sec (cutting-edge GPU cluster), time = 2¹³¹ / 10¹² ≈ 2.7 × 10²⁷ seconds — longer than the age of the universe many times over. This is what a password-manager-generated password gives you.

Example 4 — The Diceware passphrase. Six words from the 7 776-word Diceware list gives 6 × log₂(7 776) = 77.5 bits. At 10¹⁰ guesses/sec, expected crack time ≈ 2⁷⁷⁺⁵ / (2 × 10¹⁰) ≈ 10¹³ seconds ≈ 317 000 years. Human-memorable and cryptographically strong.

Common Pitfalls

• Using personal info. Birthdates, pet names, addresses — attackers pull these from social media and try them first. Zero effective entropy.
• Leetspeak substitutions. Replacing "a" with "@" and "s" with "$" adds almost no strength — every cracking tool applies these transformations automatically.
• Reusing passwords across sites. One breach then unlocks every account. Credential-stuffing attacks run millions of reused-password attempts per day.
• Trusting strength meters on arbitrary sites. Many use shallow heuristics. This tool computes raw Shannon entropy for a random draw — it does not know if you typed "P@ssw0rd123", which scores moderate entropy but is in every wordlist.
• Counting on forced rotation. NIST dropped periodic-change requirements because users degrade passwords predictably (Spring2024! → Summer2024!). Change only on breach.

Frequently Asked Questions

Is 12 characters really enough? For randomly generated passwords from a full 95-char pool, 12 chars = 78.9 bits — comfortably beyond brute-force for decades. For human-chosen passwords, 12 is a minimum floor; aim for 16+ or use a passphrase.

Should I use a password manager? Yes. Any modern manager (1Password, Bitwarden, Apple Keychain, etc.) generates and stores unique long random passwords per site. The only password you memorise is the master. Memory burden drops dramatically; real security climbs by orders of magnitude.

Does this tool send my password anywhere? No. All analysis runs in your browser via JavaScript — the string never leaves the page. You can verify by opening DevTools → Network and watching for zero outbound traffic while typing.

How does 2FA change the picture? Two-factor authentication makes even a stolen password useless without the second factor. It does not replace password strength (the attacker may still be in your account long enough to change 2FA settings), but it closes off the most common attack paths.

What is the "HaveIBeenPwned" check? The site (and its k-anonymity API) checks whether your password appears in any known breach corpus — over 800 million compromised passwords as of 2026. Any match means "instantly crackable regardless of entropy." Always check new passwords against this list.

Related Calculators

Other security-relevant developer tools: JWT Decoder for inspecting auth tokens, Base64 Encoder/Decoder for encoded credentials in HTTP headers, URL Encoder/Decoder for query string escapes, and the Regex Tester for extracting sensitive strings from logs. Browse the full Developer Tools category for more.

Disclaimer

This calculator is provided for educational and informational purposes only. While we strive for accuracy, users should verify all calculations independently. We are not responsible for any errors, omissions, or damages arising from the use of this calculator.