Password entropy & crack-time calculator
See how much entropy a password has and roughly how long it would take to crack — based on its length, character set, and how fast an attacker can guess.
Enter a password length, choose which character types it uses, and pick an attacker speed scenario. The calculator works out entropy in bits and an estimated average time to crack, without you typing in an actual password.
Password entropy calculator inputs and results
How this calculator works
Entropy measures how many possible passwords exist within a given length and character set — the bigger the set and the longer the password, the more possibilities, and the more guesses an attacker would need on average. Each extra character type added (uppercase, digits, symbols) increases entropy more than each extra character of length does at typical password lengths, which is why mixing character types matters, but length still matters more once a password gets long enough.
Crack time then depends entirely on how fast an attacker can test guesses, which is set by how the password is stored and protected — not by the password itself. The same password can be practically uncrackable behind a slow, properly salted hash and rate-limited login, or fall in seconds against a fast offline attack on a poorly protected database. That's why this calculator asks you to pick an attacker speed scenario rather than assuming one fixed number.
About this tool
This tool is a free calculator. Inputs: password length, character set used (lowercase, uppercase, digits, symbols — any combination), and attacker guess speed scenario (fast offline hardware, slow offline hash, or rate-limited online login). Output: entropy in bits, and estimated average time to crack at the selected attacker speed. Formula basis: entropy is length multiplied by log base 2 of the character set size; crack time is half the total keyspace divided by guesses per second, representing the average case.
Frequently asked questions
How is password entropy calculated?
Entropy in bits is the password length multiplied by the base-2 logarithm of the character set size. A 12-character password using lowercase letters only draws from a 26-character set, giving roughly 56 bits. Adding uppercase, digits, and symbols expands the set size, and with it, entropy, even at the same length.
Why does crack time depend so much on attacker speed?
The same password can be effectively uncrackable or trivial to guess depending entirely on how fast an attacker can try guesses. A slow, properly salted hash like bcrypt or Argon2 might allow only thousands of guesses per second even on capable hardware, while a fast, unsalted or poorly hashed password store can allow billions per second. Rate-limited online logins are slower still, often limited to a handful of attempts per minute by design.
Why does the calculator use half the total keyspace, not the full keyspace?
An attacker doesn't need to try every possible combination — on average, they'll find the correct one after searching half the keyspace, assuming a brute-force search with no shortcuts. This calculator reports that average case rather than the worst case, which is the standard way crack-time estimates are usually presented.
Does this account for dictionary attacks or known password patterns?
No. This is a pure brute-force entropy calculation, which assumes the password is effectively random within its character set. Real-world passwords often follow predictable patterns — common words, keyboard walks, substituting "3" for "e" — which dictionary and pattern-based attacks exploit and which can make a password far weaker than its raw entropy suggests. Treat this as a best-case estimate for how strong a password could be, not a guarantee of how strong a specific password actually is.