How is password entropy calculated?

Entropy in bits equals the password length multiplied by the base-2 logarithm of the character pool size. The pool grows as you add lowercase, uppercase, digits and symbols, so longer passwords with more character types score higher.

What is a good entropy value?

As a rough guide, under 28 bits is very weak, 36 to 60 bits is reasonable, and 60 to 128 bits or more is strong. Aiming for 80 bits or more gives a comfortable margin against offline brute-force attacks.

How big is the character pool for each type?

Lowercase adds 26, uppercase adds 26, digits add 10, and common printable symbols add 33. A password using all four types draws from a pool of 95 possible characters per position.

Why does adding length help more than adding symbols?

Entropy is length × log2(pool), so length multiplies the whole figure while a larger pool only raises the per-character contribution. Two extra random characters usually add more bits than switching from one character type to another.

How is the crack time estimated?

It assumes an attacker tries half the keyspace on average — 2^bits ÷ 2 guesses — divided by a guess rate. The online estimate uses 1,000 guesses per second; the offline estimate is far faster, modelling a determined attacker with serious hardware.

Does high entropy guarantee a safe password?

No. Entropy assumes the password is random. A high-entropy-looking password built from a dictionary word plus predictable substitutions is weaker in practice, because real attackers guess patterns before brute-forcing.

Is my password sent anywhere?

No. The calculation runs entirely in your browser and your password never leaves your device.

Password Entropy Calculator

Password entropy calculator

Entropy measures how unpredictable a password is, expressed in bits — each bit doubles the number of guesses an attacker must try. This tool estimates entropy from your password’s length and the variety of characters it uses, then shows a strength label, the character-pool size, and an estimated brute-force time to crack at both online and offline attack speeds.

How it works

The tool first works out the character pool from the types present, then applies the standard entropy formula:

pool    = 26 (a–z) + 26 (A–Z) + 10 (0–9) + 33 (symbols), counting only types used
entropy = length × log2(pool)   bits
guesses = 2^entropy ÷ 2         (attacker tries half the space on average)
time    = guesses ÷ guesses-per-second

Strength bands: under 28 bits is very weak, 28–36 weak, 36–60 reasonable, 60–128 strong.

Example

The password Tr0ub4dour (10 chars: lower, upper, digit) draws from a pool of 26 + 26 + 10 = 62:

Entropy: 10 × log2(62) = 10 × 5.954 = 59.5 bits (Reasonable)

Add three more characters and a symbol and the pool rises to 95, pushing entropy well past 80 bits — into Strong territory.

Example	Pool	Length	Entropy
password	26	8	37.6 bits
Passw0rd	62	8	47.6 bits
P@ssw0rd!2x9	95	12	78.8 bits

Your password is analysed entirely in your browser and is never uploaded.