Free Password Entropy Estimator | Secure & Private

Password Entropy Estimator

Password

Entropy (bits)

72.1

Character Pool

Strength

Strong

Strong — 72 bits

🔒 Privacy Protected

Your data is processed locally and never sent to any server.

FAQ

Keywords

password entropy estimatorgeneratorlocal processingprivacyfree online tool

How it works

Password entropy measures how unpredictable a password is — specifically, how many guesses an attacker would need to crack it by brute force. A high-entropy password isn't just "strong-looking"; it genuinely requires exponential time to find through systematic search. The Password Entropy Estimator calculates bits of entropy based on character set size and password length, and also identifies patterns that reduce entropy below its theoretical maximum.

**The entropy formula** Entropy (bits) = log₂(character_set_size^length) = length × log₂(character_set_size).

Character set sizes: digits only (0-9) = 10; lowercase only = 26; lowercase + uppercase = 52; alphanumeric = 62; alphanumeric + symbols = 95; full printable ASCII = 95.

A 12-character alphanumeric password: 12 × log₂(62) = 12 × 5.954 = 71.4 bits. A 12-character password using only lowercase: 12 × log₂(26) = 12 × 4.7 = 56.5 bits.

**Pattern penalties** Theoretical entropy assumes random selection from the full character set. Real passwords have patterns that reduce effective entropy: substitutions (p@ssw0rd has fewer unique patterns than random), dictionary words, keyboard walks (qwerty, 123456), repeated characters, and names. The estimator detects and reports common patterns, adjusting the effective entropy estimate downward.

**Cracking time estimates** With a 1 billion guesses/second attack (modern GPU array): 71.4 bits = 2⁷¹·⁴ / 10⁹ ≈ 3 × 10¹² seconds ≈ 95,000 years. With 128 bits: 2¹²⁸ / 10⁹ ≈ 10²⁹ years — longer than the age of the universe. 90+ bits is practically uncrackable by brute force; 60–80 bits is sufficient for most purposes; below 50 bits is insecure for any important account.

**Passphrase entropy** Random word passphrases from a 2048-word list (e.g., Diceware): 4 words = 4 × log₂(2048) = 4 × 11 = 44 bits. 6 words = 66 bits. 5 random words from a 7776-word list = 64.6 bits — memorable and secure.

Privacy: passwords are never transmitted. All analysis runs locally in your browser.

Frequently Asked Questions

How long would it take to crack a password with 70 bits of entropy?

Cracking time depends on the attacker's resources. A dedicated GPU cluster (e.g., 100 RTX 4090 GPUs running 8 billion MD5 guesses/second each = 800 billion/sec): 2⁷⁰ / (8 × 10¹¹) ≈ 1.5 × 10⁹ seconds ≈ 47 years. However, passwords aren't typically stored as raw MD5 — bcrypt (cost 12) limits attackers to ~50,000 guesses/second per GPU: 2⁷⁰ / 50,000 ≈ 2.9 × 10¹³ years. Password hashing algorithm matters enormously — SHA-256 without salt is 1000× faster to attack than bcrypt.

What is the difference between entropy and password strength indicators?

Password strength indicators (weak/medium/strong) are typically based on character class rules (has uppercase, has digits, has symbols) — not entropy. A password like 'Summer2024!' scores 'strong' in many indicators but has low effective entropy (~35 bits) because it follows a predictable pattern (season + year + symbol). True entropy calculation accounts for character set diversity AND length. A 20-character random lowercase string has higher entropy (~94 bits) than 'Summer2024!' despite fewer character classes.

Is a longer password always better than a more complex one?

Yes — length has a larger impact on entropy than complexity for the same password generator. Adding one more character from a 62-character set (alphanumeric) adds log₂(62) ≈ 5.95 bits. Adding a character class (going from 26 to 52 characters) only adds log₂(52) − log₂(26) = 1 bit for each existing character position. A 16-character lowercase password (75 bits) is stronger than a 12-character alphanumeric+symbols password (72 bits). This is why passphrase advocates (5–7 random words = 64–84 bits) argue for longer, simpler passwords over shorter, complex ones.

Why does the estimator sometimes show lower entropy than the formula suggests?

The estimator applies pattern detection to reduce the theoretical entropy estimate when common patterns are found: dictionary words reduce entropy by approximately log₂(word_count); sequential characters (abc, 123) reduce it by assuming the attacker tests all runs of n consecutive characters; keyboard walks (qwerty, zxcv) are in every password dictionary; year patterns (2020–2029) reduce entropy by log₂(10); common substitutions (@=a, 0=o, 3=e) are in cracking rule sets and do not add effective entropy. The gap between theoretical and effective entropy is often 20–40 bits for typical human-chosen passwords.