Password Entropy Calculator — Crack Time Estimator
Calculate the information-theoretic bit entropy of any password or API key. Detects character set pools automatically, shows the total number of possible combinations, and estimates crack time across five attack scenarios from rate-limited web logins to GPU cracking clusters.
How to Use Password Entropy Calculator — Crack Time Estimator
How to Use the Password Entropy Calculator
Step 1: Enter Your Password or Key
Type or paste a password or API key into the input field. Entropy is calculated in real time as you type. Use the eye icon to toggle visibility.
How Entropy Is Calculated
Entropy measures how unpredictable a password is — how many bits of information it contains:
Entropy (bits) = log2(charset size) x length
The charset size is determined by which character pools appear in the password:
| Pool | Characters | Pool size |
|---|---|---|
| Lowercase letters | a–z | 26 |
| Uppercase letters | A–Z | 26 |
| Digits | 0–9 | 10 |
| Symbols | !@#$%^&*… | 32 |
| Unicode | Non-ASCII | 128 |
A 10-character password using all four ASCII pools (94 characters) has approximately 65.5 bits of entropy — 2^65.5 possible combinations.
Step 2: Read the Results
Entropy Bar
Shows relative strength on a scale to 128 bits. The bar color reflects the strength rating:
| Rating | Bits | Meaning |
|---|---|---|
| Very Weak | 0–27 | Instantly cracked by any tool |
| Weak | 28–35 | Vulnerable to fast offline attacks |
| Fair | 36–59 | Adequate for low-risk accounts only |
| Strong | 60–95 | Sufficient for most use cases |
| Very Strong | 96–127 | High-security credentials |
| Maximum | 128+ | Quantum-resistant class |
Key Metrics
- Entropy — total bits of unpredictability
- Length — number of characters
- Charset pool — total unique characters available given the detected pools
- Combinations — total possible passwords of this length and charset (scientific notation)
Crack Time Table
Estimates the average time to crack by brute force at five attack speeds:
| Attack | Speed | Typical use case |
|---|---|---|
| Online (throttled) | 1K/s | Standard web login |
| Online (no limit) | 1M/s | Unprotected endpoint |
| Offline (bcrypt) | 10K/s | Stolen hash file, slow algorithm |
| Offline (fast hash) | 10B/s | MD5 or SHA-1, single GPU |
| GPU cracking rig | 1T/s | Dedicated multi-GPU cluster |
Crack time = combinations / 2 / hash rate (average case)
Practical Guidance
- Aim for 60+ bits for passwords protecting real accounts
- 128 bits is the target for generated API keys and secrets
- Adding symbols or uppercase adds far less than increasing length does
- A 20-character lowercase passphrase (94 bits) is stronger than a 10-character mixed-case symbol password (65 bits)
Frequently Asked Questions
Most Viewed Tools
TOTP Code Generator — 2FA Testing Tool
Generate time-based one-time passwords from a TOTP secret key. Enter your base32 secret, choose a period and digit length, and get the current and next codes with a live countdown timer. Useful for testing and debugging 2FA integrations.
Use Tool →JSON to Zod — Schema Generator
Generate Zod validation schema code from a JSON sample object. Infers z.string(), z.number(), z.boolean(), z.array(), z.object(), and z.null() types automatically. Handles nested objects, arrays of objects with optional field detection, and outputs copy-ready TypeScript with import and z.infer type alias.
Use Tool →JSONL Formatter — Line-by-Line Validator
Format, validate, and inspect JSON Lines (JSONL) and NDJSON files. Validates each line individually, reports parse errors by line number, outputs compact JSONL or a pretty-print preview, and lets you download the cleaned file.
Use Tool →TLS Cipher Suite Checker — Strength Analyzer
Check TLS protocol version compatibility and cipher suite strength ratings against current best practices. Supports IANA and OpenSSL cipher names — rates each suite as Strong, Weak, or Deprecated and explains why.
Use Tool →Secret Scanner — API Key & Credential Detector
Scan pasted text, code, or config files for accidentally exposed API keys, tokens, passwords, and private keys. Detects 50+ secret types across AWS, GitHub, Stripe, OpenAI, and more — all client-side, nothing leaves your browser.
Use Tool →Screen Size Converter — Diagonal Dimension Tool
Calculate screen width and height from diagonal size and aspect ratio. Convert between inches and centimeters for displays, TVs, and monitors with instant dimension calculations.
Use Tool →TOML Config Validator — Syntax Error Finder
Validate TOML configuration file syntax and report errors with line numbers. Paste any TOML content — Cargo.toml, pyproject.toml, config.toml — and instantly see a green checkmark with key counts and structure stats, or a precise error message pointing to the exact line. Includes a collapsible JSON structure preview to confirm what was parsed.
Use Tool →Content Security Policy Generator — XSS Shield Builder
Build Content Security Policy headers interactively. Toggle directives like script-src, style-src, and img-src, select allowed source tokens, and add custom origins. Instantly outputs your CSP as an HTTP header, meta tag, Nginx directive, or Apache header.
Use Tool →Related Privacy & Security Tools
API Key Hasher — Secure Storage Tool
Hash API keys using SHA-256, SHA-512, or PBKDF2 before storing them in your database. Generates a Node.js verification snippet and shows the recommended storage format — all 100% client-side using the Web Crypto API.
Use Tool →PGP Key Generator — Browser-Based Key Pair Tool
Generate PGP public and private key pairs for email encryption and code signing. Supports ECC (Curve25519) and RSA up to 4096-bit. Entirely browser-side — keys never leave your device.
Use Tool →TOTP Code Generator — 2FA Testing Tool
Generate time-based one-time passwords from a TOTP secret key. Enter your base32 secret, choose a period and digit length, and get the current and next codes with a live countdown timer. Useful for testing and debugging 2FA integrations.
Use Tool →OAuth 2.0 Scope Builder — Permission String Tool
Build and decode OAuth 2.0 scope strings for Google, GitHub, Stripe, and custom providers. Toggle permissions with risk indicators, generate ready-to-use scope strings, and decode existing scope strings to understand what access they grant.
Use Tool →TLS Cipher Suite Checker — Strength Analyzer
Check TLS protocol version compatibility and cipher suite strength ratings against current best practices. Supports IANA and OpenSSL cipher names — rates each suite as Strong, Weak, or Deprecated and explains why.
Use Tool →IP Allowlist Generator — Firewall Rule Builder
Generate ready-to-paste IP allowlist and blocklist rules for nginx, Apache, iptables, UFW, and AWS Security Groups. Enter IP addresses or CIDR ranges, select your target platform, and get production-ready firewall config instantly.
Use Tool →Content Security Policy Generator — XSS Shield Builder
Build Content Security Policy headers interactively. Toggle directives like script-src, style-src, and img-src, select allowed source tokens, and add custom origins. Instantly outputs your CSP as an HTTP header, meta tag, Nginx directive, or Apache header.
Use Tool →SSH Key Generator — Ed25519 & RSA Key Pair Tool
Generate Ed25519 and RSA 4096-bit SSH key pairs entirely in your browser. Keys are never sent to any server — 100% client-side using the Web Crypto API.
Use Tool →Share Your Feedback
Help us improve this tool by sharing your experience