Password Entropy Calculator
Estimate how strong a random password is: enter its length and character sets to get entropy in bits, a strength rating, and a rough brute-force crack time.
Reviewed by the CalcCafe editorial team · Last updated 1 July 2026 · How we test our tools
Example
A 12-character password that mixes lowercase, uppercase, digits, and symbols draws from a pool of 94 characters. Its entropy is 12 × log₂(94) ≈ 78.7 bits, which rates as Strong. At 10 billion guesses per second, brute-forcing every combination would take on the order of 1.5 million years — though that only holds if the password is genuinely random.
How it works
The character pool is the sum of each enabled set: 26 for lowercase, 26 for uppercase, 10 for digits, and 32 for symbols. Entropy in bits = length × log₂(pool). The number of possible passwords (guesses) = 2^entropy, and estimated crack time = guesses ÷ 10,000,000,000 guesses per second. More length and more character types both raise entropy, but length has the larger effect.
Good to know
Entropy is the standard way to talk about password strength because it captures a single idea: how many equally likely passwords an attacker would have to sift through. Each bit doubles that space, so going from 40 to 41 bits doubles the work, and from 40 to 50 bits multiplies it by about a thousand. That is why the headline number here is bits rather than a vague "weak/strong" badge — the rating is just a friendly label wrapped around the math.
The estimate assumes the best case for you and the worst case for an attacker: a password chosen uniformly at random from the selected character sets. Real passwords rarely meet that bar. Anything based on words, names, dates, keyboard walks, or a leaked-then-reused string can be cracked in a tiny fraction of the time shown, because attackers try those patterns first. Treat the crack time as a ceiling for random passwords, not a promise for the one you actually picked.
The 10-billion-guesses-per-second rate models a well-funded offline attack against fast or poorly protected password hashes. A properly salted, slow hash such as bcrypt or Argon2 slashes that rate by many orders of magnitude, while online login rate limits make brute force practically impossible for even modest passwords. So the same entropy can be wildly over- or under-protected depending on how the site stores it.
Practical takeaways: prefer length over exotic symbols, use a password manager to generate and store long random strings, and switch on multi-factor authentication. A 16-character random password or a multi-word passphrase clears most real-world threats with room to spare.
Frequently asked questions
What is a good number of bits of entropy for a password?
As a rough guide, under 28 bits is very weak, 60 bits is reasonable for everyday accounts, and 80 bits or more is comfortably strong against offline brute force. For high-value accounts, aim for 100+ bits, which typically means a 16-character random password or a multi-word passphrase.
Does higher entropy always mean my password is safe?
No. Entropy only measures the size of the search space for a truly random password. If your password is a dictionary word, a name, a date, or reused from another site, attackers guess it far faster than the bits imply. Entropy is a ceiling, not a guarantee.
Is my data uploaded anywhere?
No — this calculator runs entirely in your browser. Your inputs never leave your device, and it works offline once loaded. It does not send, store, or log any password you type.
Is this calculator free?
Yes, completely free with no sign-up and no limits.
People also ask
How is password entropy calculated?
Multiply the password length by the base-2 logarithm of the character pool size. The pool is the total number of possible characters — for example 94 if you use lowercase, uppercase, digits, and symbols. A 12-character password from that pool has 12 × log₂(94) ≈ 78.7 bits.
Is a longer password or a more complex one stronger?
Length usually wins. Adding one character multiplies the search space by the whole pool size, while adding a character type only nudges the per-character log up. A long all-lowercase passphrase often beats a short password stuffed with symbols.
How long would it take to crack a 12-character password?
For a truly random 12-character password using all four character sets, brute force at 10 billion guesses per second would take on the order of a million years. Reused or predictable passwords, however, can fall in seconds regardless of length.
Related calculators
Sources & references
These tools follow our methodology and provide educational estimates only — verify important figures with a qualified professional.