Password Strength Calculator

Follow these steps to check your password strength:

1. Enter your password length. Count the number of characters in your password. This is the single most important factor in password strength.
2. Select which character types your password includes. Toggle on lowercase letters if your password contains any letters a–z. Toggle on uppercase letters if it contains A–Z. Toggle on numbers if it contains 0–9. Toggle on special characters if it includes symbols like !, @, #, $, %, ^, &, *, (, ), -, _, =, +, [, ], {, }, |, ;, :, ", ', <, >, ,, ., ?, /, or ~. The calculator will only count the types you select, even if it doesn't know your actual password.
3. Review the results. The calculator displays your password's entropy (in bits), the number of possible combinations, estimated crack time for online attacks (limited by server rate limiting), and estimated crack time for offline attacks (if a hashed database is stolen). It also provides an overall strength rating: Very Weak, Weak, Moderate, Strong, or Very Strong.
4. Compare different password strategies. Run the calculation multiple times with different lengths and character types to see how each factor affects strength. For example, compare a 16-character lowercase-only passphrase with a 12-character password mixing all character types to understand the trade-off between length and complexity.

Remember: This calculator uses only the characteristics you specify—your actual password is never entered, stored, or transmitted. Use it as a tool to understand password strength and make informed decisions about your security.

Password entropy is a measure of how unpredictable and difficult a password is to crack through brute-force attacks. Measured in bits, each additional bit of entropy doubles the number of possible password combinations. A password with 50 bits of entropy has 2⁵⁰ (approximately 1 quadrillion) possible combinations, while a password with 80 bits has 2⁸⁰ (approximately 1.2 sextillion) combinations. In practice, this exponential growth makes the difference between a password that can be cracked in days and one that would take centuries or longer, even with powerful computing resources.

Password strength is determined by two key factors: length and character diversity. Length is the dominant factor—a 6-character password with every possible character type is much weaker than a 16-character password with only lowercase letters. According to the National Institute of Standards and Technology (NIST), modern password guidance emphasizes length over complexity. A long passphrase of random words (like "correct-horse-battery-staple") is stronger than a short, complex password (like "P@ssw0rd!"). The key difference is randomness: "Tr0pic@l2024" looks complex but can be guessed quickly because humans follow predictable patterns when creating complex passwords.

Brute-force attacks work by systematically trying every possible password combination until the correct one is found. An online attacker trying to log into your account is limited by rate limiting—most services allow only a few hundred to thousand login attempts per minute, and accounts lock temporarily after multiple failures. An offline attacker, by contrast, has stolen a password hash database and can attempt guesses at vastly higher speeds: billions or even trillions of guesses per second using GPU clusters. This is why a password's entropy matters more than you might initially think—even a "strong" 10-character password becomes weak against an offline attack with billions of guesses per second.

Password strength recommendations have evolved. NIST now advises users to create long, memorable passphrases rather than complex, difficult-to-remember passwords. A 16-character passphrase with lowercase letters only (about 75 bits of entropy) is stronger than most people's 8-character "complex" passwords. The best practice for critical accounts is to use a password manager like Bitwarden, 1Password, or KeePass to generate and store truly random 20+ character passwords with mixed character types. For accounts you must remember, aim for at least 12 to 16 characters combining uppercase, lowercase, numbers, and symbols, or a passphrase of 4+ random words. Never reuse passwords across sites—if one service is compromised, unique passwords ensure your other accounts remain secure.

The password strength calculation uses the following formulas:

• Character Set Size = (26 if lowercase) + (26 if uppercase) + (10 if numbers) + (33 if symbols)
• Entropy (H) = L × log₂(R), where L = password length and R = character set size
• Possible Combinations = R^L (character set size raised to the power of password length)
• Crack Time (Online) = (Possible Combinations ÷ 2) ÷ 1,000 guesses/second
• Crack Time (Offline) = (Possible Combinations ÷ 2) ÷ 10,000,000,000 guesses/second
• Strength Rating: Very Weak (entropy < 28 bits), Weak (28–35), Moderate (36–59), Strong (60–79), Very Strong (80+ bits)

The factor of ÷ 2 in crack time calculations represents the average case: on average, a brute-force attacker will need to try half of all possible combinations before finding the correct password.

Example 1 — Weak 6-Character Lowercase Password: Consider a password "secret" (6 characters, lowercase only). Character set size = 26. Entropy = 6 × log₂(26) = 6 × 4.7 ≈ 28.2 bits. Possible combinations = 26⁶ = 308,915,776 (about 309 million). Crack time online (at 1,000 guesses/sec) = 309 million ÷ 2 ÷ 1,000 = 154,458 seconds ≈ 1.8 days. Crack time offline (at 10 billion guesses/sec) = 309 million ÷ 2 ÷ 10 billion ≈ 0.015 seconds. This password is "Very Weak" and would be cracked in under a second by an offline attack. Additionally, "secret" is a dictionary word and would be cracked even faster using a dictionary attack.

Example 2 — Moderate 10-Character Mixed Password: Consider "Tr0pic@Sun" (10 characters, lowercase, uppercase, numbers, and symbols). Character set size = 26 + 26 + 10 + 33 = 95. Entropy = 10 × log₂(95) = 10 × 6.57 ≈ 65.7 bits. Possible combinations = 95¹⁰ ≈ 6.1 × 10¹⁹. Crack time online = 6.1 × 10¹⁹ ÷ 2 ÷ 1,000 ≈ 3 × 10¹⁵ seconds ≈ 95 million years. Crack time offline = 6.1 × 10¹⁹ ÷ 2 ÷ 10 billion ≈ 3 × 10⁹ seconds ≈ 95 years. This password is "Strong" and would resist even offline attacks for decades.

Example 3 — Strong 16-Character Passphrase: Consider "CorrectHorseBatteryStaple" (but without spaces, as "CorrectHorseBatteryStaple" is 26 characters; let's use a simpler example: "MyPassword123!!!" with 16 characters, uppercase, lowercase, numbers, and symbols). Character set size = 95. Entropy = 16 × log₂(95) = 16 × 6.57 ≈ 105.1 bits. Possible combinations = 95¹⁶ ≈ 4.4 × 10³¹. Crack time online ≈ 7 × 10²³ seconds ≈ 22 septillion years. Crack time offline = 4.4 × 10³¹ ÷ 2 ÷ 10 billion ≈ 2.2 × 10²¹ seconds ≈ 70 trillion years. This password is "Very Strong" and is effectively uncrackable by any realistic computing resource, even accounting for Moore's Law and future technological advances. A simpler approach with the same strength would be a 4-word passphrase like "correct-horse-battery-staple" (28 characters, lowercase and hyphens): Entropy ≈ 82 bits, which is still "Very Strong" and much easier to remember.