Your password is never stored, logged, or transmitted. All analysis runs entirely in your browser.
🔑
Type a password above to see its entropy and crack-time estimates
Charset size
—
possible chars
Combinations
—
possible passwords
| Attack scenario |
Hash / rate |
Guesses/sec |
Time to crack |
Verdict |
- Estimates assume exhaustive brute-force search of the full keyspace — real attacks use wordlists and patterns, which are often faster.
- Online throttled: assumes a rate-limited API (e.g. login form) with lockouts. bcrypt/Argon2: assumes GPU cluster. MD5/SHA GPU: assumes high-end GPU array.
- "Time to crack" shows the expected time to exhaust 50% of the keyspace (average case). Full keyspace takes 2×.
- Entropy is calculated as log₂(charsetSize ^ length) — this measures mathematical entropy, not resistance to dictionary attacks.
-
📏
Length beats complexity
Each extra character multiplies the keyspace by the charset size. A 20-char lowercase-only password has more entropy than a 10-char mixed-case password.
-
🎲
Use a passphrase
Four or more random words (diceware style) are both high-entropy and memorable — e.g. correct-horse-battery-staple.
-
🔑
Use a password manager
A manager lets you use a unique, randomly-generated 20+ character password for every site. The only password you need to remember is your master password.
-
⚠
Entropy doesn't measure everything
This calculator measures mathematical entropy. A password like Password1! scores moderately here but is in every dictionary attack list and would be cracked instantly in practice.
-
🛡
Enable MFA
Even a weak password is significantly harder to exploit when multi-factor authentication is active. Always layer defences.