Password Strength
{{ strengthDescription }}
{{ strengthPercent }} %
  • {{ row.label }} {{ row.value }} • {{ row.comment }}
  • {{ c.machine }} {{ c.time }}
{{ dictAlertText }}
  • Entropy bits {{ entropyBits.toFixed(1) }}
  • Interpretation {{ entropyComment }}
Categories: Calculator , Security
Export to PDF Fullscreen

Password strength expresses how resistant a secret string is to systematic guessing, brute-force enumeration, and dictionary reuse. It blends length, character-set diversity, and randomness into an entropy value measured in bits, then maps that metric onto human-readable safety bands such as “Weak” or “Strong”.

The calculator analyses the characters you type entirely in the browser. A lightweight reactive engine captures input, identifies character classes, computes entropy, benchmarks crack-time against typical hardware speeds, and flags common dictionary hits—all without server calls or cookies.

Use it before registering new accounts or rotating credentials at work; a quick check reveals whether adding two symbols and a digit turns a risky passphrase into a robust barrier. Avoid inspecting company or customer passwords on shared screens.

Technical Details:

Password entropy quantifies unpredictability. The core variables are string length (L) and character-set size (S). Higher values multiply search space exponentially, slowing exhaustive attacks and widening the gap between casual guesses and theoretical worst-case attempts.

H=L×log2(S)
  • L – number of characters typed.
  • S – distinct symbols available (digits 10, lowercase 26, uppercase 26, punctuation 32).
  • H – entropy bits representing search-space order.
Entropy (H)CategoryMeaning
< 40 bitsVery WeakRapidly breakable
40 – 59 bitsWeakLow-effort compromise
60 – 79 bitsReasonableResists casual attacks
80 – 99 bitsStrongSecure for most uses
≥ 100 bitsVery StrongImpractical to brute-force

Categories express the approximate resources required for compromise; moving up a band typically demands orders-of-magnitude more processing time.

Example (“Tr@nsp0rt-2025!”):

14=L 94=S H=14×log2(94)=91.6 bits

Category: Strong; a single high-end GPU would take roughly 300 million years to exhaust the space.

  • Assumes uniform character distribution.
  • Ignores attacker knowledge of personal data patterns.
  • Dictionary test covers 10 000 common strings only.
  • Crack speeds represent current consumer hardware; future advances shorten times.
  • Passwords longer than 128 characters may overflow legacy systems.
  • All-numeric strings achieve misleadingly high entropy if length is extreme.
  • Unicode emojis inflate S but many services disallow them.
  • Copy-paste errors insert hidden whitespace, skewing length counts.

Shannon’s 1948 information theory defines entropy foundations. NIST SP 800-63-3 and ANSSI’s 2023 guidelines inform threshold selection and dictionary sizing debates.

This methodology processes non-sensitive text entirely client-side and aligns with GDPR principles of data minimisation.

Step-by-Step Guide:

Follow these quick actions to gauge and improve a password.

  1. Type or paste your secret into the Password field.
  2. Read the headline rating and percentage ring for immediate feedback.
  3. Switch to Crack-time to compare hardware scenarios.
  4. Open Dictionary to confirm absence from common lists.
  5. Iterate length and character mix until the badge turns green; avoid predictable substitutions like 0 → O.

FAQ:

What defines a strong password?
At least 12 mixed-class characters with no dictionary words or personal data, yielding 80+ entropy bits.
Why do entropy bits matter?
Each additional bit doubles brute-force effort, offering a hardware-agnostic metric for comparing password quality across years.
How accurate are crack-time estimates?
Figures assume sustained offline attacks using current consumer hardware; targeted or future methods may differ.
Is my data stored?
No. All calculation happens locally in your browser and disappears when you close the page.
What is the dictionary check?
The tool compares your input against 10 000 commonly leaked passwords to warn against predictable choices.

Glossary:

Entropy (H)
Measure of unpredictability in bits.
Character Set (S)
Unique symbols available for use.
Brute Force
Exhaustive trial of every possible combination.
Dictionary Attack
Guessing from a list of common passwords.
Crack Rate
Guesses per second a machine can attempt.

No data is transmitted or stored server-side.

Embed this tool into your website using the following code: