CompareYourSecurity ← Back to site

Password Entropy Calculator

Measure the real strength of any password in bits of entropy.

Everything runs in your browser. Nothing you type is stored, logged, or sent anywhere.
Entropy
0 bits
Character set size0
Keyspace (combinations)0
Online attack (100/sec)
Offline fast hash (10B/sec)
Offline slow hash (10k/sec)

Entropy assumes each character is independent. Real-world dictionary passwords may be weaker than the math suggests.

Want a professional to double-check?

Get a free, no-obligation home security assessment.

Get a free quote

What is password entropy?

Entropy is a measure of how unpredictable a password is, expressed in bits. Each additional bit doubles the number of guesses an attacker must make, so entropy is the single best mathematical gauge of password strength. This free password entropy calculator estimates entropy from your password's length and the size of its character set (lowercase adds 26 possibilities per position, uppercase another 26, digits 10, symbols about 33), then shows the full "keyspace" — the total number of possible combinations — and how long that would take to crack under three realistic attack speeds.

The three scenarios matter because not all attacks are equal. An online attack against a login form is slow (throttling and lockouts). An offline attack on a fast-hashed leaked database can try billions per second, while a properly slow-hashed database (bcrypt, Argon2) drops that to thousands. As a benchmark, aim for 70+ bits of entropy for important accounts and 100+ for anything critical. Note that dictionary words and predictable patterns lower real-world strength below the raw math, so favor random passwords or passphrases. Everything is calculated locally in your browser and never sent anywhere.

Frequently asked questions

How many bits of entropy is 'strong'?
As a rule of thumb: under 40 bits is weak, 40–70 is moderate, 70–100 is strong, and 100+ is excellent for critical accounts. Each extra bit doubles the attacker's work.
Why show three different crack times?
Attack speed depends on the target. Online logins are throttled (~100 guesses/sec), fast-hashed leaked databases allow billions/sec, and slow-hashed ones (bcrypt/Argon2) allow only thousands/sec. The gap shows why how a site stores passwords matters.
Does entropy tell the whole story?
No. The math assumes random, independent characters. Real passwords built from dictionary words or patterns are weaker than their raw entropy suggests, which is why truly random passwords or passphrases are best.
Is my input stored or sent anywhere?
No. The calculation runs entirely in your browser. Nothing you type is stored, logged, or transmitted.

Embed this free tool on your site

Copy and paste this snippet anywhere. It's free to use with attribution.

100% client-side · no tracking · no data leaves your device.
Estimates are for guidance only. Replace this footer with your brand.