UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

Password Entropy Calculator

Calculate the entropy of any password in bits and estimate the brute-force time for various attack speeds.

About Password Entropy Calculator

The Password Entropy Calculator computes the information-theoretic entropy of a password in bits, based on the size of the character set used and the password length. Higher entropy means more possible passwords and therefore exponentially harder brute-force attacks. The tool identifies which character classes are used (lowercase, uppercase, digits, symbols), calculates the resulting pool size, and computes entropy as log2(pool^length). It then estimates cracking time across multiple attack scenarios: online throttled (100/s), offline slow hash (10k/s), offline fast hash (10B/s), and GPU cluster (100T/s). This helps users understand the practical security of their password choices.

Why use Password Entropy Calculator

  • Shows entropy in bits — the most accurate, attack-speed-independent metric.
  • Estimates cracking time for four attack speed tiers from online to GPU cluster.
  • Identifies which character classes increase the pool and entropy most.
  • All computation is local — your password never leaves your browser.
  • Helps your team align on a numeric entropy target rather than vague rules like must contain a symbol.
  • Demonstrates the impact of password reuse and pattern-based passwords on effective security, even when math suggests adequate length.

How to use Password Entropy Calculator

  1. Type or paste a password into the input field (the password is never stored or transmitted).
  2. The entropy in bits and character set details are shown immediately.
  3. Review the estimated brute-force time table for different attack speeds.
  4. Use the guidance to adjust your password for the required security level.
  5. Try modifying the password to add or remove a character class and watch the entropy change live to learn which choices matter most.
  6. Compare two candidate passwords side-by-side by pasting and clearing the field — the calculator updates instantly without saving any state.

When to use Password Entropy Calculator

  • Evaluating whether a generated password meets a target entropy level (e.g. 128 bits).
  • Teaching users about the relationship between password length, charset, and security.
  • Comparing the strength of different password policies.
  • Debugging password strength requirements in security applications.
  • Auditing the strength of generated tokens or session cookies to ensure they exceed 128 bits before approving a security review.
  • Designing or reviewing password policies; entropy thresholds are far more defensible than ad-hoc complexity rules.

Examples

Short numeric PIN

Input: 1234

Output: Length 4, alphabet 10 → 13.3 bits. Cracked online in seconds; offline instant.

Common 8-char mixed password

Input: Pa55word

Output: Length 8, alphabet ~62 → 47.6 bits — but pattern warning fires (substitutions reduce real entropy to ~25 bits). GPU cluster: instant.

Strong 16-char random password

Input: kT9!fZ2qLm@8nVbX

Output: Length 16, alphabet ~94 → 104.8 bits. GPU cluster: ~2 trillion years — adequate for high-value secrets.

Six-word Diceware passphrase

Input: correct horse battery staple thunder ribbon

Output: Length 6 words, alphabet 7776 → 77.5 bits. Offline fast hash: ~600 years — strong enough for general-purpose use.

Tips

  • Aim for 80+ bits of entropy for everyday accounts and 128+ bits for credentials guarding sensitive data; 64 bits and below is considered weak in 2026.
  • Length almost always beats character-set complexity. Adding one extra random character to a 64-symbol alphabet adds about 6 bits, while adding all symbols to a 6-character password adds only ~6 bits total.
  • If you use a passphrase of 4-6 random words, you get roughly 13 bits per word from a 7,776-word dictionary (Diceware) — six words yields about 78 bits, decent for general use.
  • This calculator assumes random characters. Anything based on real words, dates, or keyboard walks has dramatically lower effective entropy than the math says.
  • Pair entropy targets with rate-limiting. A 60-bit entropy is fine if the attacker is throttled to 10 attempts per second, but trivial if the password file leaks and offline cracking is possible.
  • For password policies, do not require character classes (uppercase, digit, symbol). They reduce the effective alphabet (because users predictably substitute) and frustrate users into writing them down.
  • Re-evaluate entropy targets every few years; GPU password cracking gets faster, so a 100-bit password considered safe today might be weaker against 2030 hardware.

Frequently Asked Questions

What is password entropy?
Entropy measures the randomness of a password in bits. A password with N bits of entropy is as hard to brute-force as guessing a random N-bit number — each extra bit doubles the difficulty.
How much entropy is considered secure?
NIST SP 800-63B recommends at least 112 bits for general use. 128 bits is a widely accepted strong target. Over 200 bits is overkill for most use cases.
Why does character set matter more than just length?
Entropy = log2(pool_size) × length. Adding uppercase (pool 26→52) adds 1 bit per character. Adding all printable ASCII (pool 95) adds about 6.6 bits per character.
Does this account for common patterns or dictionary words?
No. This calculator assumes randomly chosen characters. Predictable patterns (dictionary words, keyboard walks) have far lower effective entropy than the mathematical maximum.
Is my password saved or transmitted?
No. The password field is never stored, logged, or sent to any server. All calculation is performed locally in JavaScript.
Why are my password's bits lower than I expected?
The calculator multiplies length by log2(alphabet size). If your password contains repeats or a small alphabet (only digits, only letters), the result will be much lower than for a uniformly random selection of equal length.
How does this compare to zxcvbn-style strength meters?
zxcvbn estimates effective entropy after subtracting predictable patterns. This tool shows the maximum theoretical entropy assuming uniform randomness; for real-world passwords, treat the displayed value as an upper bound.
What entropy do password managers' generators target?
Most managers default to 16-20 character random passwords with a 90+ alphabet, giving 100+ bits — well above any sensible threshold for site logins.

Explore the category

Password Strength Checker Heuristic scoring without uploading secrets. Paste and Share Share text with a short link, expiry, optional max opens, password, and QR code Unix Time Converter Convert Unix timestamps to readable date and back Snowflake ID Generator Generate Twitter-style Snowflake IDs — 64-bit time-ordered unique integers used in distributed social platforms. SSH Public Key Fingerprint Calculate the MD5 and SHA-256 fingerprints of an SSH public key to verify identity without sharing the full key. Color Blindness Simulator Simulate how colors or images appear to people with various types of color blindness including deuteranopia and protanopia.
How Bcrypt Hashes Passwords (And Why Cost Factor Matters) Bcrypt is the password-hashing standard most modern apps still rely on. Here's how the Blowfish-based KDF works, why the cost factor matters May 2026 · 9 min Hashing Algorithms Explained: MD5, SHA-256, bcrypt — When to Use Which MD5 and bcrypt are both called hashing algorithms, but they serve completely different purposes. This guide explains what makes a hash funct Jan 2026 · 10 min Argon2 vs Bcrypt vs Scrypt: Which Password Hash Should You Use? Modern password hashing has three serious contenders. We compare Argon2, bcrypt, and scrypt on memory hardness, GPU resistance, ecosystem su May 2026 · 9 min

Glossary

Entropy
The information-theoretic randomness of a password, measured in bits. N bits of entropy means 2^N possible passwords.
Bits of entropy
The unit used to compare passwords. Each extra bit doubles the search space and therefore the brute-force time.
Alphabet / character pool
The set of distinct characters from which a password is drawn. Bigger pools yield more entropy per character.
Brute force
Trying every possible password until one works. Cost grows exponentially with entropy and can be parallelized across many GPUs.
Online attack
Password guessing against a live login endpoint. Limited by rate-limiting, lockouts, and network round-trip time, typically 10-1000 guesses/second.
Offline attack
Password guessing against a leaked hash. Limited only by hardware speed and the slowness of the hash function. GPUs can attempt 10^10 to 10^14 hashes/sec depending on algorithm.
Diceware
A passphrase generation method that picks random words from a 7,776-word list using physical dice. Each word contributes about 12.9 bits of entropy.
NIST SP 800-63B
U.S. standard guidelines for digital identity. Recommends discontinuing arbitrary complexity rules in favor of length and breach-list checks.