Calculator
This page estimates theoretical entropy and attack time. Human-created passwords are often weaker than pure randomness suggests.
Example Data Table
| Example Password | Length | Observed Charset | Entropy | Assessment |
|---|---|---|---|---|
| 12345678 | 8 | 10 | 26.58 bits | Very Weak |
| Summer2026 | 10 | 62 | 59.54 bits | Weak |
| P@ssw0rd!2026 | 13 | 95 | 85.41 bits | Strong |
| wG7!pL2#nQ9@ | 12 | 95 | 78.84 bits | Strong |
| CorrectHorseBatteryStaple! | 26 | 85 | 166.64 bits | Very Strong |
Formula Used
Primary theoretical entropy: H = L × log2(N)
Here, H is entropy in bits, L is password length, and N is the active charset size.
Search space: S = N^L
This estimates the total number of combinations if every position can use the full charset.
Average crack time: T = S / (2 × R)
R is guesses per second. Dividing by two gives the average time, assuming an attacker succeeds halfway through the search.
Empirical Shannon estimate: Hemp = -Σ(p × log2(p)) × L
This uses the observed character frequency distribution. It helps reveal repetition, but it does not replace the theoretical search-space model.
How to Use This Calculator
- Enter a password in the password field.
- Choose an entropy model: observed, selected, or custom charset.
- Set a guess-rate preset or type your own rate.
- Pick a target entropy level for policy comparison.
- Enable or disable character classes if using selected policy mode.
- Click Calculate Entropy to show results above the form.
- Review the score, warnings, graph, and scenario table.
- Download the analysis as CSV or PDF if needed.
FAQs
1) What does password entropy actually measure?
Entropy estimates how many bits of uncertainty a password has. Higher values usually mean more guessing effort. It is most reliable when passwords are randomly generated, not human-made.
2) Why can a long password still be weak?
Length helps, but predictable words, dates, keyboard patterns, and repeated fragments reduce real-world strength. A long but familiar phrase may resist formulas less than a random shorter string.
3) What is the difference between observed and selected charset modes?
Observed mode uses classes actually found in the password. Selected mode uses the policy pool you choose, even if every class is not present in the typed password. That can model enforced policies.
4) Why is the Shannon estimate shown separately?
The Shannon estimate reflects how evenly characters are distributed in the password. It helps expose repetition and imbalance. It does not replace brute-force search-space entropy.
5) Are the crack-time estimates guaranteed?
No. Crack time is an estimate based on assumed guessing rates and brute-force style search. Real attacks can be faster when passwords are common or slower when systems rate-limit attempts heavily.
6) What target entropy should I aim for?
It depends on the use case. Around 60 bits can be decent for strong user passwords, 80 bits is often a robust planning target, and 128 bits suits high-security random secrets.
7) Does adding symbols always make a password strong?
Not always. Symbols help expand the charset, but predictable placement like replacing one letter with one symbol may still be guessable. Randomness and length matter more than decoration alone.
8) Should I use this tool for password policy design?
Yes, it can help compare policy pools, target entropy, and attack scenarios. Pair it with real policy controls such as MFA, rate limits, breached-password blocking, and password manager support.