How is password entropy calculated?

Entropy in bits is length times log2 of the character-pool size — for example a 12-character password over a 95-symbol pool is about 79 bits. A penalty then reduces the effective length when the password contains sequences or repeats, so 'aaaaaa' is not credited full entropy.

What crack speed does the estimate assume?

It assumes an offline attacker making 100 billion (10^11) guesses per second — a realistic high-end GPU rig against a fast hash like unsalted SHA-1. Slow password hashes such as bcrypt or argon2 are far slower, so real crack times can be much longer.

How many bits of entropy are enough?

As a rough guide, under 28 bits is very weak, 40–60 is reasonable for low-value accounts, 60–80 is strong, and 80+ is very strong. For anything important, aim for 70 bits or more — typically a 12+ character mix or a 4–5 word passphrase.

Why is my long password still rated weak?

Length alone is not enough if the characters are predictable. Sequences like 123456, keyboard runs like qwerty, repeated characters, and common breached passwords are penalised heavily because attackers try those patterns first.

Is my password sent anywhere?

No. Every calculation runs locally in your browser using only JavaScript. The password is never uploaded, logged, or stored, which makes this safe to use for real credentials.

Password Strength & Entropy Meter

The strength of a password is best expressed as entropy — the number of bits of randomness an attacker would have to search through to guess it. This meter computes that entropy from the characters you actually used, penalises predictable patterns, and translates the result into a concrete offline crack-time estimate, all without sending your password anywhere.

How it works

The calculation follows the standard search-space model:

Character pool — the tool detects which classes are present (lowercase 26, uppercase 26, digits 10, symbols ~33) and sums them into a pool size.
Base entropy — raw entropy is length × log2(poolSize) bits, the size of the keyspace an attacker must search.
Pattern penalty — runs of repeated or sequential characters (aaaa, 1234, abcd) reduce the effective length, because such patterns are tried first. Known breached passwords are capped near zero bits.
Crack time — expected guesses are 2^bits / 2, divided by an assumed 10^11 guesses per second, then formatted into seconds, days, years, or centuries.

Tips and notes

A truly random 12-character password over the full 95-symbol ASCII pool is about 79 bits — strong. The same length made of dictionary words and a 123 suffix can be under 30 bits.
Length beats complexity: adding one random character multiplies the keyspace by the pool size, which usually helps more than swapping a letter for a symbol.
The crack-time figure is a worst-case-for-you estimate against a fast hash. If the service salts and uses bcrypt/argon2, the same password is far harder to crack — but you should never rely on the service doing that.
This tool measures structural strength only. A unique password can still be exposed in a breach, so pair it with the k-anonymity breach checker before reusing anything.