Password Strength Calculator

Field	Value	Comment	Copy
{{ row.label }}	{{ row.value }}	{{ row.comment }}

Machine	Rate (guesses/s)	Estimated time	Copy
{{ c.machine }}	{{ c.rateDisplay }}	{{ c.time }}

Metric	Value	Copy
Entropy bits (log₂(charsetⁿ))	{{ entropyBits.toFixed(1) }}
Interpretation	{{ entropyComment }}

Passwords are secret phrases that prove identity and protect access. Strength describes how many guesses an attacker would need, so it signals practical resistance against trial attempts. Use a password entropy calculator to see how length and character variety change exposure.

Type a candidate string and read a plain description with an overall score, then review estimated crack time across machines with different guess rates. You can also set a slowdown factor to model slower hashing so estimates reflect hardened verification.

Results include entropy in bits, simple warnings about repeated or sequential characters, and a quick dictionary check for very common choices. A longer phrase with mixed character types typically raises entropy and pushes estimates upward, which is the goal for durable credentials.

A short or predictable string may still be weak even if it includes many character types, so interpret the warnings alongside the entropy figure. For safety, try examples rather than real account passwords and avoid sharing secrets during testing.

Technical Details:

Password strength is modeled as the size of the search space an attacker must explore. The key quantity is information content measured in bits of entropy, describing how many equally likely possibilities a password represents.

Entropy grows with length and with the effective character set used. If a password uses digits, uppercase and lowercase letters, and symbols, the set expands; the model treats each position as an independent draw from that set. Crack‑time estimates divide the total combinations by a chosen guess rate and can be scaled by a slowdown factor to reflect costly verification.

Results are summarized as a descriptive label and entropy ranges. Crossing a band edge moves the label from weak to strong, but values near boundaries should be read with caution because small changes in length or character mix can shift the outcome.

Comparisons assume random selection from the effective set and do not capture human patterns beyond basic checks for dictionary hits, repeats, sequences, email‑like forms, and dates. Use the figures to compare alternatives rather than to certify a secret.

\begin{array}{lcl} H & = & n {log}_{2} (S) = {log}_{2} (S^{n}) \\ T & = & \frac{S^{n}}{R} \end{array}

Symbols and units
Symbol	Meaning	Unit/Datatype	Source
n	Password length	characters	Input
S	Effective character set size	symbols	Derived
H	Entropy	bits	Derived
R	Guess rate (per machine)	guesses/s	Constant
T	Estimated exhaustive time	seconds or years	Derived

Worked example. Consider Tr33s&Rain! with n = 11 using digits, uppercase and lowercase letters, and symbols, so S = 95.

H = 11 {log}_{2} (95) \approx 72.3 bits

For a GPU at R = 10¹⁰ guesses/s,

T = \frac{95^{11}}{10^{10}} \approx 5.7 \times 10^{11} seconds ≈ 18,000 years

Interpretation: entropy is in the “Reasonable” band; estimated time is far beyond practical attack windows for this rate.

Entropy interpretation bands
Threshold band	Lower	Upper	Interpretation	Action cue
Very weak	0	< 40	Easily guessed	Increase length and variety
Weak	40	< 60	Low resistance	Add words or symbols
Reasonable	60	< 80	Moderate resistance	Prefer longer phrases
Strong	80	< 100	High resistance	Keep unique per site
Very strong	≥ 100	—	Very high resistance	Still avoid reuse

Variables & Parameters

Parameters
Parameter	Meaning	Unit/Datatype	Typical range	Notes
Hash slowdown factor	Scales down guess rate to model costly verification	number	1 to 10,000,000	Neutral default 1; affects time only

Units, Precision & Rounding

Entropy is rounded to one decimal place; decimal separator is a dot.
Rates display with SI suffixes K, M, G, T, P; stored as raw integers for CSV/JSON.
Durations show minutes, hours, days, years, or powers of ten for extreme values.

Validation & Bounds

Input fields and constraints
Field	Type	Min	Max	Step/Pattern	Error text	Placeholder	Notes
Password	text	—	—	—	—	Type a password…	Eye toggle shows or hides characters
Hash slowdown factor	number	1	—	step 1	—	—	Applies to crack‑time calculations

I/O Formats

Inputs and outputs
Input	Accepted families	Output	Encoding/Precision	Rounding
Password string	Printable characters	Tables, warnings, entropy, crack‑times, JSON	Text, numeric, CSV/JSON exports	Entropy 1 decimal; times rounded to units

Networking & Storage

One fetch retrieves a list of the top 10k common passwords; responses may be served from cache.
All analysis runs on the device; no password is transmitted or stored server‑side.
URL syncing is disabled until the first user interaction; sharing can be enabled afterward.

Performance & Determinism

Linear scan over characters for metrics and pattern checks.
Identical inputs yield identical outputs given the same slowdown and dictionary state.

Security Considerations

Avoid typing real account secrets; test with representative examples.
Copy and download actions require explicit user gestures.
Dictionary checks flag common choices but cannot prove safety.

Assumptions & Limitations

The effective character set is inferred from categories present, not exact per‑character distribution.
Positions are treated as independent; human patterns reduce true entropy.
Guess rates are presets; real attacker speeds vary by algorithm and hardware.
Slowdown factor models verification cost but not lockouts or rate limits.
Dictionary coverage is limited to a short list and case‑insensitive matching.
Warnings catch simple emails, dates, repeats, and sequences; many patterns remain undetected.
Very large estimates are displayed as powers of ten for readability.
Heads‑up Validity here does not certify an account’s safety; avoid reuse and enable multifactor.

Edge Cases & Error Sources

Leading or trailing spaces are counted as characters if included.
Non‑ASCII symbols are treated as generic symbols; categories are coarse.
Dictionary download can fail; checks fall back to “not loaded.”
Extremely long inputs may produce astronomically large times with limited precision.
All‑digit or all‑letter strings collapse the effective set and lower entropy sharply.
Sequential check may flag keyboard runs even within otherwise complex strings.
Email/date heuristics can produce false positives on look‑alike patterns.
Rounding to units can mask small differences near thresholds.
Copy/download may be blocked by clipboard or file permissions.
Changing slowdown mid‑comparison alters time figures without changing entropy.

Privacy & Compliance

No data is transmitted or stored server‑side; all computations occur in the browser. Avoid entering sensitive credentials from production accounts.

How‑to · Step‑by‑Step Guide

Password strength assessment estimates entropy and crack‑time to guide safer choices.

Enter a candidate string in Password.
Review the strength label, entropy bits, and quick warnings.
Open Crack‑time to compare machines.
Adjust Hash slowdown factor for slower verification.
Inspect Properties for length and character mix.
Use the CSV/JSON actions to capture results when needed.

Example: Add one word and a symbol to a short base, then recheck entropy; expect a notable increase.

Choose the variant that maximizes entropy while staying memorable and unique.

FAQ

Is my data stored?

No. Analysis runs locally and nothing is sent to a server. One network request retrieves a common‑password list.

Avoid testing real account passwords.

How accurate are crack times?

They model exhaustive search against an assumed rate. Real attacks vary by algorithm, hardware, and defenses like lockouts.

What units and formats are used?

Entropy is in bits with one decimal. Guess rates use SI suffixes. Times show minutes, hours, days, years, or powers of ten.

Can I work offline?

Yes for analysis. The dictionary check needs a prior successful download or it will report as not loaded.

What does a “borderline” result mean?

Values near a band edge may flip with small changes. Prefer longer phrases that push clearly into higher ranges.

How do I validate a CSR?

This tool assesses passwords only. It does not parse or validate certificate signing requests.

Does length alone guarantee safety?

Length helps, but predictable patterns and reuse still create risk. Use unique phrases and enable multifactor.

What does the slowdown factor change?

It scales time estimates by reducing the effective guess rate. It does not affect entropy or warnings.

Troubleshooting

No dictionary status: check connectivity or try again later.
Copy actions fail: grant clipboard permission or copy manually.
Download buttons do nothing: allow file downloads for this site.
Times show 10^k years: values are too large for exact display.
Share link not updating: interact with the page once to enable syncing.
Tooltips missing: your environment may not load them; analysis still works.

Never paste production passwords. Use representative examples and a password manager to generate real secrets.

Advanced Tips

Tip Favor multi‑word passphrases with one symbol and one digit.
Tip Avoid keyboard runs like qwerty and simple sequences.
Tip Replace predictable suffixes with internal separators or uncommon symbols.
Tip Increase length first; complexity helps most after length is adequate.
Tip Use a manager to keep each site unique and long.
Tip Model slow verification by raising the slowdown factor during comparisons.

Glossary

Entropy (bits): Information measure of unpredictability.
Effective character set: Symbols actually used across categories.
Guess rate: Number of trials per second by an attacker.
Slowdown factor: Multiplier that reduces the modeled rate.
Brute force: Systematic search across all candidates.
Dictionary hit: Match against a list of common passwords.