Password Strength Calculator

Field	Value	Comment	Copy
{{ row.label }}	{{ row.value }}	{{ row.comment }}

Machine	Rate (guesses/s)	Estimated time	Copy
{{ c.machine }}	{{ c.rateDisplay }}	{{ c.time }}

Metric	Value	Copy
Entropy bits (log₂(charsetⁿ))	{{ entropyBits.toFixed(1) }}
Interpretation	{{ entropyComment }}

Password strength is the practical measure of how hard a guesser would find it to discover a secret in realistic time. People also say password quality, and many reports summarize it as entropy in bits. Entropy reflects the size of the character pool and the length, capturing how many combinations a brute‑force strategy must try.

You enter any password and receive a plain language score with supporting metrics and badges with export options. The engine profiles character classes and length then estimates entropy and checks a common wordlist to flag risky picks. It also models crack time at several attack speeds so you can compare protection across contexts and document results.

As one example, Grape!2025 mixes case, digits and a symbol, landing near 65.7 bits of entropy. That maps to roughly 18973 years on a typical desktop under brute force only within this model. Breaches, reuse or slow hashing can shift risk so treat these figures as directional guidance rather than ironclad guarantees in practice today.

Stronger outcomes come from length first, then variety used judiciously. Avoid short patterns, obvious sequences, or look‑alike years. Passphrases made of unrelated words can be memorable without being predictable, and adding a slow hashing factor helps you compare sites that harden verification with expensive key derivation functions. Check for repeats and dictionary hits before relying on a secret.

Technical Details:

The calculator evaluates password strength using a mix of heuristic scoring (0–4), an entropy estimate $begin:math:text$H = n \\log_{2} S$end:math:text$ from length $begin:math:text$n$end:math:text$ and inferred character‑set size $begin:math:text$S$end:math:text$, a dictionary check against a top 10k list, and brute‑force crack‑time projections at fixed guessing rates. Outputs include a description label, strength percent, entropy bits with interpretation bands, warnings, property rows, machine‑specific time estimates, and CSV or JSON exports. Assumptions include uniform random selection across the detected set, exhaustive search, and no prior knowledge. Computations are deterministic for identical inputs.

Processing Pipeline

Count length and character classes using regular expressions.
Sum character set size from present classes: digits, uppercase, lowercase, symbols.
Score strength by heuristics; cap at four.
Estimate entropy bits as n × log₂ S.
Generate warnings for short length, missing classes, runs, sequences, email, dates.
Look up a lowercase match in the 10k dictionary.
For each machine, compute lnSeconds = n ln S − ln rate.
Convert lnSeconds to minutes, hours, days, or years.
Apply user slowdown factor to rates; sanitize to at least one.
Assemble tables and JSON; enable copy and download.

Core Formula

\begin{array}{l} H & = & n \log_{2} S \\ H & = & n \frac{\ln_{} S}{\ln_{} 2} \end{array}

Symbols & Units

Symbols, meanings, and units
Symbol	Meaning	Unit/Datatype	Source
n	Password length	characters	Input
S	Character set size	count	Derived
H	Entropy	bits	Derived
rate	Guess rate after slowdown	guesses/s	Derived
slowdown	Hash slowdown factor	×	Input
lnSeconds	Natural log of seconds to crack	ln(s)	Derived
time	Displayed crack‑time	mins/hrs/days/yrs	Derived

Interpretation Bands (Entropy)

Entropy thresholds and labels
Threshold Band	Lower Bound	Upper Bound	Label
Very weak	0	< 40	Very weak
Weak	40	< 60	Weak
Reasonable	60	< 80	Reasonable
Strong	80	< 100	Strong
Very strong	100	∞	Very strong

Bands help you prioritize changes. If a value sits near a boundary, consider adding length or reducing predictable patterns before relying on the label.

Constants & Coefficients

Guess rates and logarithmic constants
Constant	Value	Unit	Source	Notes
Standard Desktop PC	1e8	guesses/s	Preset	Base estimate
Fast Desktop PC	4e8	guesses/s	Preset	Higher end
GPU	1e10	guesses/s	Preset	Single GPU
Fast GPU	3e10	guesses/s	Preset	Optimized
Parallel GPUs	1e12	guesses/s	Preset	Clustered
Medium‑size Botnet	1e13	guesses/s	Preset	Distributed
LN_MINUTE	ln(60)	ln(s)	Constant	Minute pivot
LN_HOUR	ln(3600)	ln(s)	Constant	Hour pivot
LN_DAY	ln(86400)	ln(s)	Constant	Day pivot
LN_YEAR	ln(31557600)	ln(s)	Constant	Year ≈ 365.25 days

Units, Precision & Rounding

Decimal separator is a dot.
Entropy displays to one decimal place.
Rates use SI suffixes; two decimals at K and above.
Durations round to nearest integer; 0.5 rounds up.
Extremely large years display as 10ⁿ years.

Validation & Bounds

Inputs, limits, and patterns
Field	Type	Min	Max	Step/Pattern	Error Text	Placeholder
Password	String	0	—	—	—	Type a password…
Hash slowdown factor	Number	1	—	Step 1	—	—

I/O Formats & Encoding

Inputs and outputs
Input	Accepted Families	Output	Encoding/Precision	Rounding
Password text	UTF‑8 string	Metrics, warnings, tables	Bits, guesses/s, time units	As above
Hash slowdown factor	Integer ≥ 1	Crack‑time scaling	Integer ×	Nearest integer
Exports	CSV, JSON	Clipboard/file	JSON indented 2 spaces	Exact values

Networking & Storage

Loads a 10k common‑passwords list on first use with cache preference.
All analysis runs on your device; no server calls for your input.
No local or session storage of your password.

Performance & Complexity

Character profiling and warnings are linear in password length.
Dictionary lookup is linear in list size (10k entries).
Crack‑time rows scale with the number of preset machines.

Security Considerations

Do not paste production passwords; use representative structures instead.
Dictionary fetch does not transmit your input.
Outputs are estimates under exhaustive brute force assumptions.

Worked Example

Input Grape!2025. Classes: uppercase, lowercase, digits, symbol. Length 10; inferred set size 95.

\begin{array}{l} H & = & 10 \log_{2} 95 \\ H & \approx & 65.7 bits \end{array}

Standard Desktop PC estimate: ≈ 18973 yrs; slowdown factor increases time proportionally.

Assumptions & Limitations

Entropy assumes independent, uniform character choices.
Brute force only; no targeted or hybrid attacks.
Character set size uses four coarse classes. Heads‑up
Non‑ASCII characters count as symbols, not distinct alphabets.
Dictionary list is 10k entries and may not include new leaks.
Year uses 31 557 600 s; calendar nuances are ignored.
Slowdown factor scales time only; it does not change entropy.
Heads‑up If the dictionary fetch fails, checks may report “Not found”.

Edge Cases & Error Sources

Leading/trailing spaces are trimmed before evaluation.
Empty input yields no results and zero entropy.
Very long inputs may be unwieldy to inspect, though evaluation remains linear.
Non‑ASCII graphemes count by code unit, not visual cluster.
Slowdown < 1 or non‑numeric is sanitized to 1.
Extremely small or large rates are clamped for display.
Massive times display using 10ⁿ yrs for readability.
Locale formatting may change raw rate titles but not calculations.

Privacy & Compliance

No data is transmitted or stored server‑side. A public dictionary file is fetched to enable common‑password detection; your input never leaves the page.

Step‑by‑Step Guide:

Follow these steps to assess and export results.

Type a candidate secret into Password.
Open Advanced and set Hash slowdown factor if you want slower KDF modeling.
Review strength, entropy, warnings, and crack‑time rows.
Switch tabs to inspect properties, entropy notes, or dictionary status.
Copy or download CSV/JSON for auditing or sharing.

Example: Use Grape!2025 and set slowdown to 100000 to see how estimates change.

Use the results to decide whether to lengthen, diversify, or replace the password.

FAQ:

Is my data stored?

No. Analysis runs in your browser, and your input is not sent anywhere. The common‑password list may be fetched to your cache for lookups.

How accurate are crack‑time estimates?

They reflect exhaustive brute force over the detected character set at preset guess rates. Slowdown scales those rates. Targeted attacks, reuse, and leaks can reduce real protection.

What units and formats are used?

Entropy is in bits. Guess rates are in guesses per second. Exports are CSV or JSON with two‑space indentation for readability.

Can I use it offline?

Yes, core analysis works offline. If the dictionary list was not cached earlier, the dictionary tab will skip matches until a connection is available.

Do I need an account?

No sign‑in is required, and nothing is tied to identity.

How many bits count as strong?

The Entropy tab labels 80–100 bits as strong and 100+ bits as very strong. Aim higher if secrets are long‑lived or high‑value.

Troubleshooting:

No dictionary status: connect once so the list can cache.
Clipboard blocked: allow paste permissions and retry copy actions.
Odd time units: extremely large estimates switch to powers of ten.
Spaces missing: leading and trailing spaces are trimmed on input.
Numbers look rounded: exports include exact numeric values where applicable.

If nothing appears after typing, ensure the input is not empty and disable extensions that rewrite page content.

Advanced Tips:

Tip Model slow verification by raising the slowdown factor to reflect costly key derivation.
Tip Prefer length increases before adding rarely typed symbols for everyday usability.
Tip Avoid sequences and keyboard runs; the detector flags basic patterns quickly.
Tip Check dictionary status before trusting “not found” on a fresh, offline page.
Tip Export JSON with context metrics to document reviews during migrations.

Glossary:

Entropy (H): Information measure in bits representing unpredictability.
Character set size (S): Total distinct symbols assumed available.
Brute force: Trying every possible combination until a match.
Dictionary check: Test against common passwords to flag weak choices.
Guess rate: Attempts per second by an attacker model.
Slowdown factor: Multiplier that reduces effective guess rate.
CSV / JSON: Portable export formats for analysis and audit.