95
chars
78.84
bits
62
/100
562,949.95
seconds
0.0179
years
95
chars
78.84
bits
62
/100
562,949.95
seconds
0.0179
years
The Password Strength Checker provides a comprehensive assessment of password security by analyzing the composition of character types and length to compute entropy, an overall strength score, and estimated crack time. Unlike simplistic strength meters that rely on pattern matching, this tool applies rigorous information-theoretic analysis to quantify exactly how resistant a password is to brute-force attacks.
Password security is a layered problem. The first layer is the password itself—its entropy determines how large the search space is for an attacker. The second layer is the hashing algorithm used to store it—bcrypt, scrypt, or Argon2id can slow attacks by orders of magnitude. The third layer is system-level protections like rate limiting, account lockout, and multi-factor authentication. This calculator addresses the first and most fundamental layer: the intrinsic strength of the password itself.
The tool works by computing the effective character set size based on which character classes you include: uppercase letters (26), lowercase letters (26), digits (10), and special characters (33 printable ASCII symbols). The entropy is then calculated as the password length multiplied by log2 of the character set size. This approach follows the methodology outlined in NIST SP 800-63B and is consistent with the entropy models used in academic password security research.
The strength score is normalized to a 0–100 scale, where 100 represents 128 bits of entropy—the gold standard for symmetric cryptographic key strength. A score of 50 indicates 64 bits of entropy, which provides strong protection for most online accounts. Scores below 30 indicate passwords vulnerable to commodity hardware attacks, while scores above 75 represent enterprise-grade security.
Modern password cracking has become remarkably efficient. Tools like Hashcat and John the Ripper leverage GPU acceleration to test billions of password candidates per second against common hash types. The 2024 Hive Systems password table shows that an 8-character password using all character types can be cracked in under 5 minutes using a cluster of GPUs attacking MD5 hashes. This makes password length and character diversity more critical than ever.
By toggling character classes on and off, you can directly observe how each class contributes to overall security. This interactive exploration helps build intuition about password construction and demonstrates why security experts universally recommend using all four character classes with a minimum length of 12-16 characters for important accounts.
The calculator builds the character set size from the selected character classes:
$$S = 26 \cdot U + 26 \cdot L + 10 \cdot D + 33 \cdot P$$
where U, L, D, P are binary flags (0 or 1) for uppercase, lowercase, digits, and special (printable) characters respectively. The 33 special characters are the printable ASCII symbols: !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ plus space.
Entropy is computed using the Shannon formula:
$$H = L \times \log_2(S)$$
The strength score normalizes entropy to a 0–100 scale:
$$\text{Score} = \min\left(\left\lfloor \frac{H}{128} \times 100 \right\rfloor, 100\right)$$
This maps 128 bits (the AES-128 key size, considered computationally infeasible to brute-force) to a perfect score of 100.
Crack time is estimated as the full search space divided by the attack speed:
$$t = \frac{S^L}{G}$$
The default attack speed of 109 guesses per second represents a mid-range GPU attacking unsalted SHA-256 hashes. Adjust this parameter to model different attack scenarios—for bcrypt with cost factor 12, use approximately 5,000 g/s; for online attacks with rate limiting, use 100 g/s or less.
A score of 0–25 indicates a critically weak password that can be cracked in seconds to minutes. Immediately change any password in this range. A score of 25–50 provides minimal protection adequate only for throwaway accounts with no sensitive data.
A score of 50–75 represents solid security for everyday accounts, corresponding to 64–96 bits of entropy. This range is suitable for most personal accounts when combined with unique passwords and a password manager. A score of 75–100 provides enterprise-grade or cryptographic-strength security, suitable for master passwords, admin accounts, and encryption keys.
Pay attention to the crack time in years. If it exceeds the age of the universe (13.8 billion years), your password is effectively uncrackable by brute force. However, remember that targeted attacks may use dictionaries, leaked password lists, or social engineering rather than pure brute force, so entropy alone does not guarantee security against all attack vectors.
Inputs
Results
An 8-character lowercase-only password has just 37.6 bits of entropy and a score of 29/100. It can be cracked in under a second at 1 billion guesses per second. This is dangerously weak for any account.
Inputs
Results
A 16-character password using all character types scores 82/100 with 105 bits of entropy. Cracking would take over a quadrillion years—this is an excellent password for any purpose.
The score maps password entropy to a 0–100 scale where 100 equals 128 bits of entropy (AES-128 key strength). The formula is Score = min(floor(entropy / 128 × 100), 100). A score of 50 means 64 bits of entropy, 75 means 96 bits, and so on. This provides an intuitive linear scale tied to a well-understood cryptographic benchmark.
The printable ASCII character set (codes 32–126) contains 95 characters total: 26 uppercase, 26 lowercase, 10 digits, and 33 special characters. The special characters include punctuation marks, mathematical symbols, brackets, and the space character. Some systems restrict which special characters are allowed, which would reduce the effective set size.
For everyday personal accounts: 50+ (64 bits). For email, banking, and important accounts: 65+ (83 bits). For master passwords and admin accounts: 75+ (96 bits). For cryptographic keys: 100 (128 bits). Remember to also use unique passwords per site and enable multi-factor authentication for critical accounts.
No. This calculator computes theoretical entropy assuming truly random character selection. Real passwords chosen by humans often contain dictionary words, keyboard patterns, or personal information that dramatically reduce effective entropy. For practical password auditing that checks against breach databases and pattern analysis, use tools like zxcvbn or Have I Been Pwned.
Entropy scales linearly with length but only logarithmically with character set size. Adding one character to a full-ASCII password adds about 6.6 bits, while adding all special characters to an alphanumeric password adds only about 0.6 bits per existing character. A 20-character lowercase password (94 bits) is stronger than a 12-character full-complexity password (79 bits).
MFA adds an independent authentication factor that brute-force password cracking cannot bypass. Even a weak password combined with a hardware security key or TOTP code provides strong protection against remote attacks. However, if an attacker obtains the hashed password database for offline cracking, MFA does not protect the password itself—so strong passwords remain important.
Use a password manager to generate and store unique random passwords of 16+ characters for every account. Your master password should be a memorable passphrase of 5+ random words (77+ bits). Enable MFA everywhere possible. This strategy provides maximum entropy per password while remaining practical for daily use. NIST, CISA, and all major security organizations recommend this approach.
Password managers use cryptographically secure pseudorandom number generators (CSPRNGs) seeded from operating system entropy sources (/dev/urandom on Linux, CryptGenRandom on Windows). These generators produce output indistinguishable from true randomness, ensuring each character position is independently and uniformly selected from the chosen character set—achieving the full theoretical entropy.
Grover's algorithm on a quantum computer could search an N-item space in √N steps, effectively halving the entropy bits. A 128-bit password would have 64-bit effective strength against quantum brute force. However, practical quantum computers capable of this are not expected for decades. Current NIST post-quantum guidelines recommend 256-bit security levels to be future-proof.
If all toggles are off, the character set size is 0, which would make the entropy calculation undefined (log of 0). The calculator uses a safeguard of minimum charset size 1 in this edge case. In practice, a password must use at least one character class. Always enable at least one toggle to get meaningful results.
Roboculator Team
The Roboculator Team explains calculations, planning tools, and practical formulas in clear language for real-life situations.
How helpful was this calculator?
Be the first to rate!
