Password Strength Checker
Check password strength by entropy and character variety.
Returns estimated crack time from seconds to centuries with tips to make your password more secure.
Password strength is measured mathematically using entropy — a measure of unpredictability expressed in bits. The higher the entropy, the longer it would take an attacker using a brute-force approach to guess the password.
The entropy formula:
Entropy (bits) = log₂(Character Set Size) × Password Length
Or equivalently:
Entropy (bits) = Password Length × log₂(N)
Where N is the number of possible characters in the pool being used.
Character set sizes:
| Character Set | N | Bits per Character |
|---|---|---|
| Digits only (0–9) | 10 | 3.32 bits |
| Lowercase letters | 26 | 4.70 bits |
| Lower + uppercase | 52 | 5.70 bits |
| Lower + upper + digits | 62 | 5.95 bits |
| Full printable ASCII | 95 | 6.57 bits |
Worked examples:
- “password” (8 lowercase): 8 × 4.70 = 37.6 bits — cracked in seconds
- “P@ssw0rd!” (9 chars, full ASCII): 9 × 6.57 = 59.1 bits — cracked in hours by modern hardware
- “correct-horse-battery-staple” (28 chars, lowercase + hyphen): 28 × 4.92 = 137.8 bits — essentially uncrackable
Time-to-crack benchmarks (10 billion guesses/second — modern GPU):
| Entropy | Time to crack |
|---|---|
| < 40 bits | Milliseconds |
| 40–60 bits | Hours to days |
| 60–80 bits | Years |
| 80–100 bits | Millions of years |
| 100+ bits | Computationally infeasible |
NIST password guidelines (SP 800-63B):
- Minimum 8 characters for user-created passwords
- Minimum 6 characters for system-generated passwords
- Check against breached password databases
- Do not require special characters (length matters more)
- Do not require periodic changes unless breach is suspected
Passphrases outperform complex short passwords. Four random words (~55+ bits) are both more memorable and more secure than “P@$w0rd1” (less than 50 bits).