Security checks

Password Strength Checker

Enter password length and character types to see the estimated entropy in bits, strength rating, and actionable improvement steps. Runs entirely client-side — no input is transmitted or stored. Adjust the strong-entropy target to match your security policy.

Last reviewed May 14, 2026 by ToolSpilo Editorial Team.

Review method: Reviewed against NIST SP 800-63B and OWASP authentication guidance. Existing entropy structure preserved; FAQ clarified that passphrases must use randomly chosen words and that real passwords should not be entered.

Calculator tool

How this calculator works

Use the explanation to understand the formula, assumptions, and practical limits behind the calculator result.

How Entropy Measures Password Strength

Password strength is measured in bits of entropy — how many binary guesses an attacker needs to exhaust the search space. The formula:

H=log2(N)×LH = \log_2(N) \times L

Where:

  • HH = entropy in bits
  • NN = character pool size (number of distinct characters the attacker must consider)
  • LL = password length

This assumes a random password chosen uniformly from the character set. Non-random passwords (keyboard walks, words, substitutions) have lower effective entropy.

Character Pool Sizes

Character setPool size NNEntropy per character
Lowercase only (a–z)264.70 bits
Lower + Upper525.70 bits
Letters + Digits625.95 bits
All printable ASCII946.55 bits

Adding uppercase to a lowercase-only password adds 1 bit per character. Adding symbols adds another 0.6 bits per character. Length multiplies this — which is why a longer simple password can beat a shorter complex one.

Worked Example

Password structure: 16 characters, lowercase + uppercase + digits + symbols → N=94N = 94

H=log2(94)×16=6.55×16104.8 bitsH = \log_2(94) \times 16 = 6.55 \times 16 \approx 104.8 \text{ bits}

At 101210^{12} guesses/second (a modern GPU cluster), exhausting a 104-bit search space takes approximately 2104/10122.5×10192^{104} / 10^{12} \approx 2.5 \times 10^{19} seconds — well past any practical attack horizon.

By contrast: 8 characters, letters + digits only → N=62N = 62, H=5.95×8=47.6H = 5.95 \times 8 = 47.6 bits. At the same attack speed, the full search space takes about 4 days.

Strength Thresholds

EntropyRatingSuitable for
< 20 bitsVery WeakNever use
20–40 bitsWeakLow-stakes, short-lived
40–60 bitsFairPersonal accounts with rate limiting
60–80 bitsStrongMost applications
80+ bitsVery StrongSensitive accounts, encryption keys

NIST SP 800-63B (the US standard) recommends at least 8 characters for user-chosen passwords and does not prescribe mandatory complexity rules — length and uniqueness matter more than forced substitutions.

Length Beats Complexity

Comparing two passwords:

  • P@ssw0rd!1 — 10 characters, full 94-char set → 65.5 bits
  • correct horse battery staple — 28 characters, lowercase only → 131.6 bits

The passphrase has 2× more entropy despite using only lowercase. Attackers run dictionary attacks with rule sets that trivially crack substitution patterns (@ for a, 0 for o). Length in characters that aren't predictable patterns is the primary defence.

What This Checker Does Not Measure

  • Dictionary or pattern attacksqwerty123 scores fair on entropy but falls in milliseconds to a dictionary attack
  • Credential stuffing exposure — a technically strong password reused across sites is high-risk
  • Actual crack time — entropy is a structural property; real crack time also depends on hashing algorithm, salting, and rate limiting

Frequently asked questions

Is my password sent anywhere?

No. The checker runs entirely in your browser using JavaScript. No text is transmitted to any server or logged anywhere. That said, best practice is to test a password of the same structure rather than your actual password — for example, if your real password is 14 characters with mixed case and symbols, test any other 14-character string with the same character types.

Is length more important than complexity?

Yes, when the added length is not predictable. Adding one truly random character to a password using a 94-character set increases the search space by a factor of 94, which is about 6.5 bits of entropy. Adding a symbol to the end of an otherwise predictable password helps much less.

For human-remembered passwords, a passphrase of 4–6 randomly chosen words can be strong and more memorable than an 8-character complex password. The words must be chosen randomly; a quote, song lyric, famous phrase, or personal sentence should not be treated as random.

Forced complexity rules often produce predictable patterns such as Capital1!, and attackers already include those patterns in guessing rules.

What entropy target should I use?

The default target of 100 bits is a practical upper bound for most accounts — at modern GPU speeds ($10^{12}guesses/sec),a100bitpasswordtakesguesses/sec), a 100-bit password takes10^{18}$ seconds to brute-force.

For lower-sensitivity scenarios with rate-limited login forms, 60 bits is typically sufficient. For encryption keys, master passwords, or authentication credentials with no rate limiting, set the target to 128 bits.

Why do some 'complex' passwords score lower than long simple ones?

Entropy is determined by character pool × length, not by whether a password looks complicated to a human. An 8-character password using all 94 printable ASCII characters has about 52 bits. A 12-character lowercase-only password has about 56 bits — and is harder to crack despite looking simpler.

The practical lesson: use a password manager to generate random passwords of 20+ characters. You do not need to memorise them, and the randomness eliminates pattern vulnerabilities entirely.