Home Daily Life Tech Tools Password Strength Calculator

Password Strength Checker

Entropy analysis · 3 attack scenarios · Character heatmap · Password generator · NIST compliance

Test Password
🔒 100% local — never sent to any server
Character Map
lowercase
UPPERCASE
digit
symbol
repeat/seq
Strength Analysis
Entropy -- bits
Crack (GPU) --
Length --
Char Pool --
Unique --
Score --
Time to Crack by Attacker
💻
Laptop
1B / sec
--
🖥
GPU Cluster
100B / sec
--
🌐
Nation-State
10T / sec
--
4 words
Generated Password
— bits
Recent Passwords (this session)
Side-by-Side Comparison
Password 1
— bits
Password 2
— bits
Password 3
— bits
Entropy Breakdown (Password 1)
Crack Progress by Attacker Speed
NIST SP 800-63B Compliance

Analysis based on Password 1 from the comparison tool above, or the Analyzer tab password.

Password Archetype Comparison
Type Example Entropy Laptop (1B/s) GPU (100B/s) Nation-State (10T/s) Rating

How It Works

🔍

1. Analyze Your Password

Type or paste any password in the Analyzer tab. The character heatmap instantly color-codes each character and the strength ring fills as you type. All processing is local — your password never leaves your device.

🎲

2. Generate Strong Ones

Switch to the Generator tab to create a cryptographically random passphrase (4-8 words) or a random character password (8-64 chars). Use the separator chips and character type toggles to customize it.

📊

3. Compare & Verify

In the Scenarios tab, compare up to 3 passwords side-by-side, view the entropy breakdown chart, see how long each attacker speed would take, and verify NIST SP 800-63B compliance.

Formulas & Methodology

Entropy Formula H = L × log₂(P) H = bits of entropy, L = length, P = character pool size
Crack Time T = 2⁶ / speed Assumes worst-case brute force; dictionary attacks are faster for common passwords
Passphrase Entropy H = words × log₂(|wordlist|) A 4-word passphrase from 1000 words = ~39.9 bits. 6 words = ~59.8 bits

Key Terms

Entropy
A measure of password randomness in bits. Each additional bit doubles the number of guesses required. Higher entropy = stronger password.
Character Pool
The total number of possible characters the password could use. Lowercase (26) + Uppercase (26) + Digits (10) + Symbols (32) = max pool of 94.
Brute Force Attack
Systematically trying every possible combination until the correct password is found. Time grows exponentially with length and pool size.
Dictionary Attack
Using precompiled lists of common passwords, words, and patterns. Much faster than brute force for predictable passwords.
Passphrase
A sequence of random words used as a password. Long passphrases achieve high entropy despite a smaller character pool due to extreme length.
NIST SP 800-63B
NIST guidelines for digital identity that recommend minimum 8-char passwords, allow all characters, prohibit complexity rules, and check against breached password lists.

Worked Examples

password123
Lowercase (26) + Digits (10) = pool 36, length 11. Despite decent raw entropy, it appears in every dictionary attack list. Cracked in seconds.
~56.7 bits raw · Common pattern penalty → Very Weak
C@t$_R0ck!22
All 4 character types, pool 94, length 12. No common patterns. Brute force at 100B/s would take ~150,000 years.
~78.7 bits · Strong
correct-horse-battery-staple
4 random words + hyphens, pool 27, length 28. Extreme length compensates for small pool. Centuries even on a nation-state botnet.
~133 bits · Excellent

Password Security in the Modern Era

In a world where data breaches expose billions of credentials every year, password strength is not an abstract concept — it is the front line of personal cybersecurity. A weak password is the digital equivalent of leaving your front door unlocked.

Why Password Strength Matters

Every online account you own is protected by a password, and attackers have become extraordinarily efficient at cracking weak ones. Modern graphics processing units can attempt hundreds of billions of password hashes per second, meaning a short or predictable password can be broken in the time it takes to brew a cup of coffee. The consequences of a compromised password range from identity theft and financial fraud to unauthorized access to corporate networks.

How Entropy Works

Entropy is the mathematical backbone of password strength measurement. Expressed in bits, entropy quantifies how unpredictable a password is by calculating the total number of possible combinations. A password with 40 bits of entropy has roughly one trillion possible combinations, while one with 80 bits has over a sextillion. Each additional bit doubles the difficulty for an attacker — this is why even small increases in password length can make an outsized difference.

Brute Force vs Dictionary Attacks

Brute-force attacks try every possible combination systematically. Dictionary attacks leverage lists of common passwords, leaked credentials, and predictable patterns to skip directly to the most likely candidates. A password like "Summer2024!" may look complex but follows a common pattern that dictionary attacks find almost instantly. True security requires randomness that defies pattern recognition.

The Passphrase Advantage

Stringing together four or more random, unrelated words creates a passphrase that achieves high entropy while remaining memorable. "correct-horse-battery-staple" achieves over 130 bits despite a small character pool because its extreme length generates an astronomically large number of combinations. Passphrases are easier to type and remember than random character strings.

Password Managers

Modern life demands dozens or hundreds of unique, complex passwords. Password managers solve this by generating and storing strong random passwords for every account behind a single master password. The master password should be a strong passphrase. Reputable password managers encrypt your vault, making them far safer than reusing passwords across sites.

The Future of Authentication

The industry is moving toward passwordless authentication through passkeys, which use public-key cryptography to eliminate passwords entirely. Until passwordless authentication becomes universal, strong passwords combined with two-factor authentication remain the gold standard for protecting your digital life.

Frequently Asked Questions

What makes a strong password?

A strong password combines length with complexity. Use at least 12 characters mixing uppercase letters, lowercase letters, numbers, and symbols. Passphrases of 4 or more random words separated by symbols are even stronger because they achieve high entropy while remaining memorable. Avoid dictionary words, personal information, and common substitutions like "@" for "a".

How is password entropy calculated?

Entropy (bits) = log₂(Pool Size) × Password Length. The pool size is the total number of possible characters based on character types used. For example, lowercase (26) + digits (10) = pool of 36. Each character then contributes log₂(36) ≈ 5.17 bits. A 12-character password with all 4 types (pool=94) achieves 12 × 6.55 ≈ 78.7 bits.

What entropy score should I aim for?

For most purposes, 60 bits of entropy is considered strong. 80+ bits is very strong and would take centuries to crack with current technology even on a GPU cluster. For high-value accounts (banking, email, password manager master password), aim for 80–120 bits. A 16-character password using all character types achieves roughly 105 bits.

How long would it take to crack my password?

Crack time depends on entropy and attacker hardware. A consumer laptop (1B guesses/sec), GPU cluster (100B/sec), and nation-state botnet (10T/sec) give very different estimates. At 100B/sec, an 80-bit entropy password takes ~380 million years. These estimates assume brute force; dictionary attacks are much faster for common passwords, which is why this tool flags common patterns.

Is my password stored or transmitted anywhere?

No. This calculator runs entirely in your browser using JavaScript. Your password is never sent to any server, stored in any database, or transmitted over the network. All analysis and generation happens locally on your device. Generator settings (not passwords) are saved to localStorage for convenience. Passwords disappear when you close or refresh the page.