Password Strength Analyser

Estimate brute-force crack time and entropy

Enter a password to see an estimated brute-force crack duration, entropy, and a simple score — computed locally

Last updated: January 24, 2026

CreatorFrank Zhao

Password

Brute-Force Crack Time

Instantly

Length

Entropy

0 bits

Charset

Score

0 / 100

Note: This tool uses a brute-force model and does not account for dictionary attacks or common password lists (e.g., "123456"). For real-world security, use long, complex, and unique passwords.

This guide explains what password strength means in practice, how to use the analyser, and how the estimate is calculated. The tool models a brute-force attacker (trying every possible combination) and reports an estimated crack time, entropy, and a score.

→Introduction / overview
→How to use / quick start
→Real-world examples
→Common scenarios
→Tips & best practices
→Calculation method / formulas
→Related concepts
→Frequently asked questions
→Limitations & disclaimers
→External references

Introduction / overview

A password is “strong” when it stays safe even if someone tries to guess it at scale. This analyser focuses on one of the most important components: the size of the search space. If your password is made from a large character set and is long enough, the number of possibilities grows extremely fast.

Good mental model: every extra character multiplies the attacker’s work by the size of your character set.

Who is this for?

Developers validating password rules (min length, required character types).
Security-conscious users who want a quick sanity check before reusing a password.
Teams writing documentation or onboarding checklists for account security.

If you are working with hashes, pairing this tool with our Bcrypt page is a practical next step, and if you need locally-generated secrets you may also like Token Generator.

How to use / quick start

Type or paste your password

The analyser does not send your password to any server. Results update instantly as you type.

Read the crack time estimate

This is the estimated time for a brute-force attacker to guess your password on average.

Check entropy and character set size

Entropy grows with both length and the character set (lowercase/uppercase/digits/symbols).

Use the score as a quick signal

The score normalizes entropy onto a 0–100 scale (128 bits maps to 100). Aim higher for important accounts.

Worked example (simple)

Suppose your password is "123". The analyser sees a digit-only character set, so $N = 10$ and $L = 3$ . Entropy is:

H = L\,\log_2(N)

=

3\,\log_2(10)

\approx

9.97\ \text{bits}

The score is normalized against $128\ \text{bits}$ : $\text{Score} \approx 100\cdot H/128$ . That’s why a very short numeric password lands in single digits.

Worked example (stronger)

Take "CorrectHorseBatteryStaple" (letters only). The analyser uses $N = 52$ (lowercase + uppercase) and length $L = 25$ . The entropy becomes:

H = 25\,\log_2(52) \approx 142.5\ \text{bits}

That pushes the score to the cap (100/100). In real-world security, long passphrases are often easier to remember than short “complex” strings.

Real-world examples / use cases

Setting a minimum password policy

You want a baseline rule for a consumer app signup flow.

Input: Try L = 12 with letters + digits (N ≈ 62).

H = 12\,\log_2(62) \approx 71.5\ \text{bits}

How to use it: Use this as a starting point, then raise the bar for admin accounts.

Evaluating secrets for API keys

You are generating API keys and want to sanity-check length and character set.

Input: A 32-char token using letters + digits + symbols (N ≈ 95).

H = 32\,\log_2(95) \approx 210\ \text{bits}

How to use it: If you need to generate one, use our Token Generator to produce a long random secret. Token Generator

Auditing a reused “workhorse” password

You suspect a password you reuse is shorter than it should be.

Input: Example: 8 chars, lowercase only (N = 26).

H = 8\,\log_2(26) \approx 37.6\ \text{bits}

How to use it: For important accounts, switch to a longer passphrase and use a password manager.

Explaining why length beats “leet” tricks

Someone replaces letters with symbols and assumes it is secure.

Input: Compare 10 letters-only vs. 14 letters-only.

\Delta H = 4\,\log_2(52) \approx 22.8\ \text{bits}

How to use it: Adding length is a predictable win; “clever” substitutions are often caught by dictionaries.

Common scenarios / when to use

Before enabling 2FA

Check that your password is already strong; 2FA is best as a second layer, not a replacement.

Choosing a passphrase length

Test 16–24 character passphrases to see how quickly strength ramps up.

Rotating service credentials

When you rotate secrets, verify new keys are long and random enough.

Comparing “complexity rules”

See whether forcing symbols helps less than simply requiring more length.

Sanity-checking legacy passwords

Old habits often create short passwords; use this to prioritize what to change first.

Writing onboarding guidance

Use the numbers to justify guidelines in security docs without sounding hand-wavy.

When it may not apply

If attackers can try only a few guesses (e.g., strict lockout), real crack time may be longer.
If your password is a common word or pattern, dictionary attacks can be much faster than brute force.
If the password has been leaked before, strength does not matter—replace it immediately.

Tips & best practices

Pro tip: If you want strong passwords without mental overhead, use a password manager and let it generate long random strings.

Practical checklist

Prefer length first: add characters before adding complexity rules.
Avoid patterns (keyboard walks, dates, names) even if they look “mixed”.
Use unique passwords per site; reuse makes the weakest site the single point of failure.
For high-value accounts, pair a strong password with 2FA and recovery codes.

Working on storage and hashing? Use Bcrypt to understand the difference between a strong password and a properly hashed password.

Calculation method / formula explanation

1) Character set size

The analyser detects which character categories appear in your password and builds a character set size $N$ . A simple model is:

N = 26\,[a\! -\! z] + 26\,[A\! -\! Z] + 10\,[0\! -\! 9] + 33\,[\text{symbols}]

This is an approximation, but it’s a solid way to compare “digits-only” vs. “mixed characters”.

2) Entropy

Entropy estimates how much uncertainty your password has under the brute-force model:

H = L\,\log_2(N)

Where $L$ is length and $N$ is the character set size.

3) Crack time

For brute force, the number of possibilities is $N^L$ . On average, an attacker needs about half of them:

G \approx \frac{N^L}{2}

With an assumed guess rate $r$ (guesses per second), the expected time is:

t = \frac{G}{r}

=

\frac{N^L}{2r}

4) Score

The score maps entropy to a 0–100 scale using a 128-bit “excellent” reference point:

\text{Score} = \min\left(100,\ \mathrm{round}\left(100\cdot\frac{H}{128}\right)\right)

Related concepts / background

Entropy vs. real-world attacks

Entropy is useful for comparing choices, but it does not cover everything. Real attackers often use dictionary attacks, leaked password lists, and pattern-based guessing. That means a “clever-looking” password can crack quickly if it is based on common words.

Online vs. offline guessing

Online systems can rate-limit attempts, while offline attacks (stolen password hashes) can be much faster. The best defense is a combination of strong passwords and strong hashing (e.g., bcrypt with appropriate cost).

To explore hashing behavior, see Hash Text and Bcrypt.

Frequently asked questions (FAQs)

Does this tool upload my password?

No. The calculation runs locally in your browser. Avoid sharing real passwords in screenshots or URLs.

Why can a long passphrase be stronger than a short complex password?

Because entropy scales with length: $H = L\,\log_2(N)$ . Increasing $L$ is a reliable multiplier.

Is the crack time accurate?

It is an estimate under a simple brute-force model. Real crack times can be faster (dictionary attacks) or slower (rate limits).

What score should I aim for?

For important accounts, aim for a score that implies high entropy (ideally approaching the 100/100 cap). For low-risk logins, lower can be acceptable if you use 2FA and uniqueness.

Does adding symbols always help?

It can increase N, but adding length often gives a bigger and more predictable gain.

What if my password includes non-ASCII characters?

This analyser uses a simplified character set model. Non-ASCII characters may not be represented perfectly in the charset size.

Limitations / disclaimers

This analyser is for education and quick comparisons. It is not a guarantee of real-world security.

Brute-force estimates do not model dictionary attacks or leaked-password checking.
Assumed guess rates vary wildly based on hashing algorithms, hardware, and rate limiting.
A strong password still needs safe storage (hashing + salting) on the server side.
This does not replace professional security review for high-risk systems.

External references / sources

NIST Digital Identity Guidelines (SP 800-63B)
External reading to deepen your understanding.
OWASP Authentication Cheat Sheet
External reading to deepen your understanding.
Have I Been Pwned? (checking leaked passwords)
External reading to deepen your understanding.

Related Calculators

Chronometer

Use a simple chronometer (stopwatch) to track elapsed time down to milliseconds. Runs locally in your browser.

Try Now

Email normalizer

Normalize email addresses to a standard format for easier comparison. Useful for deduplication and data cleaning. Runs locally in your browser.

Try Now

ETA calculator

Estimate the time needed to consume a total amount at a constant rate, and get an expected end time. Runs locally in your browser.

Try Now

JWT parser

Parse and decode your JSON Web Token (JWT) and display its content. All computation runs locally in your browser.

Try Now

MIME types

Know which file extensions are associated to a MIME type, and which MIME type is associated to a file extension. Includes a full MIME types table.

Try Now

Lorem ipsum generator

Generate random Lorem Ipsum placeholder text with customizable paragraphs, sentences, and word counts. Runs locally in your browser.

Try Now