Check entropy, crack time and get real-time feedback on how strong your password really is
This tool calculates password entropy — a mathematical measure of how unpredictable your password is — and converts that into an estimated crack time based on current GPU attack speeds. Everything runs in your browser using JavaScript. Your password is never typed into a form that submits to a server, never logged, and never leaves your device.
Unlike tools that just flag "weak" or "strong" based on simple rules, this one shows you the actual entropy in bits and the estimated time it would take an attacker to brute-force it, so you can see exactly how much each character you add actually helps.
Entropy is measured in bits. Each bit added doubles the number of possible combinations an attacker must try. Here's what different entropy levels mean in practice:
| Entropy (bits) | Strength | Est. Crack Time (GPU) | Example |
|---|---|---|---|
| 0→28 bits | Very Weak | Instant — seconds | abc, 1234, pass |
| 28→35 bits | Weak | Minutes — hours | hello123, abc123! |
| 36→59 bits | Moderate | Days — months | T!ger2024$x |
| 60→79 bits | Strong | Decades — centuries | K#9mP$vL2@nQ |
| 80→99 bits | Very Strong | Millions of years | correct-horse-battery-staple |
| 100+ bits | Extreme | Beyond computational reach | 16+ random mixed chars |
Crack time assumes a modern GPU running ~100 billion guesses/second against an unsalted MD5 hash — one of the weakest storage methods. Against bcrypt or Argon2 (what secure apps use), crack times are orders of magnitude longer.
Entropy is calculated as: entropy = length — log2(charset_size)
The charset size depends on which character types you use:
| Character Set | Size | Bits per Character | Example Characters |
|---|---|---|---|
| Digits only | 10 | 3.32 bits | 0→9 |
| Lowercase letters | 26 | 4.70 bits | a→z |
| Lower + uppercase | 52 | 5.70 bits | a→z, A→Z |
| Alphanumeric | 62 | 5.95 bits | a→z, A→Z, 0→9 |
| Full ASCII printable | 94 | 6.55 bits | a→z, A→Z, 0→9, !@#$— |
Adding symbols increases the charset from 62 to 94 — about 0.6 bits per character. Adding one more character to your password adds ~6.5 bits. Length beats complexity every time. A 20-character lowercase passphrase beats a 10-character "complex" password with symbols.
No. All analysis runs entirely in your browser. Your password never leaves your device and is never sent to any server. You can disconnect from the internet and the tool still works.
Length is the single biggest factor. A 16-character password using only lowercase letters has more entropy than an 8-character password with all character types. Aim for 12+ characters minimum, avoid dictionary words or patterns, and use a mix of character types for maximum entropy.
Entropy measures unpredictability in bits. It's calculated from the character set size and password length. Every additional bit of entropy doubles the work an attacker needs to do. 70 bits means roughly 1 sextillion possible combinations — at 100 billion guesses/second, that's about 317 years.
Crack time depends on the attack method and hash type. Against MD5 (weak), a modern GPU tests ~100 billion passwords/second. Against bcrypt with a cost factor of 12 (used by most secure apps), that drops to ~100 passwords/second — making the same password billions of times harder to crack.
No — this tool only evaluates entropy and estimated crack time. It doesn't query breach databases. If you want to check whether a password has appeared in a known breach, use HaveIBeenPwned separately after checking strength here.
60+ bits for general accounts, 70+ bits for important accounts like email or banking, 80+ bits for critical systems or anything with financial access. The difference between 60 and 80 bits is roughly 1 million times harder to crack.
Usually yes. "correct-horse-battery-staple" (four random words, ~44 bits per word from a 7,776-word list) has ~88 bits of entropy and is far easier to remember than "P@ssw0rd!2024" which has far less. The key word is random — a passphrase of predictable words like "ilovemydog2024" is still weak.