Calculator tool
How this calculator works
Use the explanation to understand the formula, assumptions, and practical limits behind the calculator result.
Password Entropy Formula
Entropy measures the unpredictability of a password — the amount of information an attacker must guess:
- = entropy in bits
- = password length (number of characters)
- = character set size (number of possible characters)
Each additional character multiplies the search space by ; each additional bit doubles it. Length is the dominant variable.
Character Set Sizes
| Character Set | Entropy per Character | |
|---|---|---|
| Digits only (0–9) | 10 | 3.32 bits |
| Lowercase letters (a–z) | 26 | 4.70 bits |
| Lower + uppercase (a–z, A–Z) | 52 | 5.70 bits |
| Alphanumeric (a–z, A–Z, 0–9) | 62 | 5.95 bits |
| Full printable ASCII + symbols | 94–95 | 6.57 bits |
Worked Example — 16 Character Password
| Character Set | Entropy | Strength |
|---|---|---|
| Digits only | 16 × 3.32 = 53 bits | Weak |
| Lowercase only | 16 × 4.70 = 75 bits | Moderate |
| Alphanumeric | 16 × 5.95 = 95 bits | Strong |
| Full ASCII | 16 × 6.57 = 105 bits | Very strong |
Strength Thresholds
| Entropy (bits) | Strength | Context |
|---|---|---|
| < 40 | Very weak | Trivially brute-forced |
| 40–60 | Weak | Minutes to hours for offline attack |
| 60–80 | Moderate | Adequate for low-value accounts |
| 80–100 | Strong | Recommended for most accounts |
| 100–128 | Very strong | Banking, email, password manager |
| > 128 | Extremely strong | Resistant to foreseeable hardware advances |
Why Length Beats Complexity
A 20-character lowercase-only password has 94 bits of entropy. An 8-character password with full symbols has only 53 bits. The longer password is dramatically more resistant to brute force — yet far easier to remember if it is a passphrase (four random words). NIST SP 800-63B (2017) guidance moved away from mandatory complexity rules and toward longer passwords and passphrases, blocking known compromised passwords instead.
Frequently asked questions
How long should a password be?
NIST SP 800-63B sets a minimum of 8 characters for user-chosen passwords, but longer passwords are materially stronger. A 12-character alphanumeric password has about 71 bits of entropy, while a 20-character password using every set available in this generator has about 127 bits. For high-value accounts such as email, banking, or a password manager, use a long unique password or passphrase and store it in a password manager instead of trying to memorize many shorter secrets.
Is it better to use a longer password or one with more character types?
Length has a greater impact per character than character-set expansion. Adding one character to the generator's 82-character set adds 6.36 bits of entropy; switching from lowercase only to all available sets adds about 1.66 bits per character. A 20-character lowercase passphrase (94 bits) is stronger than a 12-character password using every available set (about 76 bits), and it can be easier to remember. The practical advice: use a long unique password or passphrase first, then use extra character variety when a site requires it.
What makes a password generator 'cryptographically secure'?
Cryptographic security requires that each character be drawn from a true random or pseudorandom source with adequate entropy — specifically, a Cryptographically Secure Pseudorandom Number Generator (CSPRNG). Browser-based tools use window.crypto.getRandomValues(), which is backed by the operating system's CSPRNG. Non-cryptographic randomness (Math.random() in JavaScript, rand() in C) is predictable given sufficient output samples and must never be used for security-sensitive values. Generated passwords should also never be transmitted over the network — the generation and display must happen entirely in the browser.
Should I use a password manager instead of memorising passwords?
Yes — for all but one password (the password manager master password). Password managers generate and store a unique, high-entropy password for every account, eliminating password reuse — which is responsible for the majority of account takeovers following data breaches. The master password should be a 4–6 word random passphrase (e.g., 'correct horse battery staple' style) with high entropy and no personal references. Popular managers (Bitwarden, 1Password, Dashlane) use AES-256 encryption with zero-knowledge architecture, meaning even the provider cannot access your vault. The risk of using a password manager is lower than the near-certainty of credential reuse attacks.
