Calculator Inputs
Use the form below to score a password, test policy rules, and estimate resistance under different attack speeds.
Strength Profile Graph
The chart compares length, variety, uniqueness, pattern safety, and policy fit on a 0–100 scale.
Submit a password to draw the graph.
Example Data Table
| Sample | Length | Character Pool | Adjusted Entropy | Score | Rating | Offline Fast Crack Time |
|---|---|---|---|---|---|---|
| he••••23 | 8 | 36 | 34.26 bits | 65/100 | Good | ~1.0 seconds |
| S3••••••••42 | 12 | 95 | 78.84 bits | 100/100 | Excellent | ~8.56 × 10^5 years |
| A!••••••••••••k1 | 16 | 95 | 105.12 bits | 100/100 | Excellent | ~6.97 × 10^13 years |
| aa••••••••••••!! | 16 | 95 | 70.52 bits | 84/100 | Strong | ~2.68 × 10^3 years |
Formula Used
This calculator estimates strength using a layered scoring model. It starts with theoretical entropy, then reduces that estimate when it detects predictable structures.
Raw Entropy = Length × log₂(Character Pool)Adjusted Entropy = Raw Entropy − Pattern PenaltiesAverage Guesses ≈ 2^(Adjusted Entropy − 1)Crack Time = Average Guesses ÷ Guess RateFinal Score = Length + Variety + Uniqueness + Pattern Safety + Policy
Pattern penalties increase when the password contains repeats, short sequences, common weak terms, years, or personal words. The final score is capped between 0 and 100.
How to Use This Calculator
- Enter the password you want to test.
- Optionally confirm it to verify you typed the intended value.
- Select an attack model that matches your security scenario.
- Set your policy minimum length and required character types.
- Add a personal word to detect names or usernames inside the password.
- Press Calculate Strength to view the score above the form.
- Review entropy, crack-time estimates, policy checks, recommendations, and the Plotly graph.
- Use the CSV or PDF button to export the current result summary.
FAQs
1) Does a longer password always score better?
Usually yes, but only if predictability stays low. A long password made of repeats, obvious words, or sequences can still receive heavy penalties and weaker crack-time estimates.
2) Why does the calculator estimate crack time?
Crack time translates entropy into a practical estimate. It shows how quickly an attacker might guess the password under different speeds, from slow online attempts to fast offline attacks.
3) What is the character pool?
The character pool is the approximate set of possible characters used by the password. Lowercase, uppercase, digits, symbols, and spaces all expand the pool and increase raw entropy.
4) Why are repeated characters penalized?
Repeats reduce effective randomness. Attackers exploit duplicated patterns because they lower search complexity compared with a password that uses more unique and less predictable characters.
5) Should I use symbols everywhere?
Symbols help, but length and unpredictability matter more. A balanced password with strong length, varied characters, and no obvious patterns often beats a short password overloaded with symbols.
6) Why check for personal words?
Names, usernames, birthdays, and familiar terms are often tested first in targeted attacks. Removing personal clues makes a password harder to predict from public or reused information.
7) Is this the same as a real password audit?
No. This is an estimator. Real security also depends on rate limits, breach exposure, hashing quality, multifactor protection, and whether the same password is reused elsewhere.
8) What is the best way to improve my score?
Increase length first, then remove repeats, avoid common words, mix character types, and keep the password unique for every account. A password manager makes that much easier.