Password Strength Checker

Type a password to estimate its entropy in bits, see a strength rating, and an approximate brute-force crack time. Everything is checked in your browser — nothing is uploaded.

🔒 Checked locally — never sent anywhere. Don't paste a password you currently use in shared/public devices.

Type a password to check its strength.

The entropy formula

Password strength is measured in bits of entropy — how many guesses, on average, a brute-force attacker would need. It depends on the size of the character pool and the length:

entropy = length × log2(pool size)

The pool grows as you add character types: 26 for lowercase, +26 uppercase, +10 digits, +~32 symbols, up to about 94 printable characters. Every extra character multiplies the number of possibilities, so length matters far more than complexity.

Worked example

A 12-character password using lowercase, uppercase and digits (pool 62):

Per character: log₂(62) ≈ 5.95 bits.
Total entropy: 12 × 5.95 ≈ 71 bits.
Crack time: at 10 billion guesses/sec, ~10⁹ years — strong.

What really matters

This estimate assumes a random password. Real passwords based on dictionary words, names, keyboard patterns or simple substitutions (like Tr0ub4dour) are far weaker than their entropy suggests, because attackers try those first. The strongest, most usable approach is a long random passphrase or a password manager generating unique random passwords per site.

Tip: follow current guidance (NIST SP 800-63B): favor length, allow all characters, and don't reuse passwords. Generate strong ones with the password generator.

Frequently asked questions

How is password strength measured?

In bits of entropy: length × log₂(pool size), where the pool is the number of possible characters. More length and more character types mean more entropy and a longer time to crack.

How many bits is a strong password?

As a rough guide, under 40 bits is weak, 40–60 is moderate, 60–80 is strong and over 80 is very strong. A 12-character mixed-case password with digits is around 71 bits.

Is this checker safe to use?

Yes. The password is analyzed entirely in your browser with JavaScript — nothing is sent to a server, logged or stored. Still, avoid typing a live password on a shared or public computer.

Why are 'complex' passwords sometimes weak?

Because the entropy formula assumes randomness. Patterns like Tr0ub4dour are dictionary words with predictable substitutions, which attackers test first — so they're weaker than the raw bit count implies. Length and randomness beat clever substitutions.

MB
Mustafa Bilgic · Editor, Calcool
Entropy estimation follows length × log₂(pool). For modern password guidance see NIST SP 800-63B. The check runs entirely in your browser; nothing is transmitted or stored.

Related calculators

🔑 Password Generator🔢 Random Number Generator🔢 Hex to Decimal Converter🎲 Dice Roller