Build passwords for apps, teams, servers, and wireless devices. Tune symbols, length, and exclusions easily. See entropy, strength trends, and export clean security summaries.
This line graph shows how entropy grows as the random length increases under your current policy.
| Profile | Random Length | Pool Size | Repeat Rule | Entropy Bits | Average Crack View | Example Output |
|---|---|---|---|---|---|---|
| Application Login | 16 | 67 | Allowed | 97.11 | Very long at 10 billion guesses each second | Y7@pL2!mQ4#tR8$s |
| Admin Console | 20 | 67 | Allowed | 121.38 | Extremely long under fast offline attack models | K9$uN4!xV7@hD2#qM5%w |
| Device Key | 24 | 57 | Blocked | 132.48 | Massive search space with no repeated characters | Z8!fR2#nT5@wQ6$sJ7%kL9&m |
Allowed Pool Size (N): Count every unique character still available after all selected groups, exclusions, and custom include characters are merged.
Combinations with repeats allowed: NL, where L is the random password length.
Combinations with repeats blocked: N × (N - 1) × (N - 2) ... × (N - L + 1).
Entropy Bits: log2(Combinations). Higher entropy means more unpredictability.
Strength Score: min(100, round(Entropy Bits)).
Average Crack Time: Combinations ÷ 2 ÷ guesses_per_second. The divisor of two reflects the average search position.
Important note: fixed prefixes and suffixes are not counted as random entropy because reusable fixed text can weaken real deployments.
Entropy estimates unpredictability. Higher entropy means more possible guesses, which generally increases resistance to brute force attacks. It is a mathematical guide, not a guarantee against weak storage or phishing.
Usually yes, because symbols enlarge the allowed pool. Strength rises most when symbols are added to a longer random password instead of replacing good length with a short but complex pattern.
Blocking repeats can satisfy policy rules, but it also changes the combination model. In most cases, longer length matters more than removing repeats. Use the option only when your environment requires it.
A reusable fixed prefix or suffix can become predictable. This calculator treats only the random core as true entropy so the reported strength remains conservative and easier to compare.
Use a rate that matches your threat model. Online logins may allow very few guesses, while offline attacks against leaked hashes can be dramatically faster. The input helps you compare scenarios.
This file uses random_int(), which draws from a cryptographically secure source in modern environments. Security still depends on safe transport, storage, and avoiding exposure in browser history or screenshots.
Errors appear when exclusions remove every character from a chosen group, or when length becomes too short for every required group. The tool validates these cases before generation.
Export when you need a review sheet, temporary provisioning record, or audit artifact. Handle exported files carefully because they may contain live credentials and should never stay in shared storage.
Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.