Password policy strength calculator
Enter a password policy to see the minimum entropy it guarantees and how long it would take to crack at different attack speeds.
Results reflect the weakest password your policy allows — users pick the shortest, simplest password that satisfies the rules. Policy issues are flagged against NIST SP 800-63B guidance.
Policy calculator
Required character classes
Mandatory password rotation
Entropy
Charset size
26
Min entropy
—
Crack times (worst-case password)
Policy review
How this tool works
The minimum charset is the sum of characters in the classes the policy requires. Entropy is
computed as min_length × log₂(charset_size).
Crack times divide half the password space (the expected number of guesses to find the right
password) by the attack speed. The five speeds represent realistic scenarios from a slow online
login to a nation-state GPU cluster.
Note that this models the minimum entropy — the weakest password your policy permits. Users in practice choose passwords near that minimum. NIST SP 800-63B recommends prioritising length over character complexity, blocking known-breached passwords, and removing mandatory rotation.
About this tool
Enter a password policy's minimum length and character requirements, and this tool calculates the minimum entropy that policy guarantees. It shows estimated crack times across five attacker speeds — from a throttled online attack to a GPU cluster — and flags policy issues against NIST SP 800-63B guidance.
Frequently asked questions
What is password entropy?
Entropy (measured in bits) describes how hard a password is to guess. It's calculated as: length × log₂(character set size). A 10-character password using all 95 printable ASCII characters has 10 × 6.57 = 65.7 bits of entropy. The higher the bits, the more guesses are required to crack it.
Why does this calculate minimum entropy, not average entropy?
Users pick the shortest, simplest password that satisfies the policy — so the minimum length and minimum character set drive the worst-case (most crackable) password your policy allows. Average entropy assumes random character selection, which real users never do.
What does NIST say about rotation and complexity rules?
NIST SP 800-63B (the US federal password guidance, widely adopted globally) recommends against mandatory rotation unless there is evidence of compromise, and against overly complex composition rules (requiring uppercase, symbols, etc.). The reasoning: rotation causes users to pick predictable patterns ("Password1!" → "Password2!"), and complexity rules often make passwords harder to remember without making them harder to guess. Length is far more effective than complexity.
How are crack times calculated?
For each attack speed, the tool divides half the password space (the expected number of guesses before finding the password) by the guesses-per-second rate. The five speeds cover: a throttled online login, an unthrottled online attack, an offline attack on a slow hash (bcrypt/Argon2), an offline attack on a fast hash (MD5/SHA1), and a nation-state GPU cluster.