Free · No account · Works in your browser

Password Strength Checker

Entropy bits, character set, and crack time estimate — computed locally in your browser

Privacy notice: Password analysis runs entirely in your browser. Nothing you type is ever sent to a server.
Examples:

Strength

Fair

Entropy

53.6 bits

Higher is stronger. NIST recommends ≥ 80 bits for sensitive data.

Character set size

62 characters

Unique characters you could use based on what you've typed.

Password length

9 characters

Adding 1 character multiplies the combinations by the charset size.

Possible combinations

13537.1 trillion

Total number of possible passwords of this length with this charset.

Estimated brute-force time

19 hours

Assumes a dedicated attacker using high-end GPU hardware (~100 billion guesses/second). Real-world attacks may be slower or faster depending on hashing algorithm.

Character sets detected

Lowercase a–z (26)Uppercase A–Z (26)Digits 0–9 (10)+ Add special chars

Password strength concepts — Security+ & CISSP

EntropyMeasure of randomness / unpredictability in bits. Higher entropy = harder to crack.
Brute-force attackTrying every possible combination. Time increases exponentially with length and charset size.
Dictionary attackUses word lists and common patterns. Defeats predictable passwords even if they are long.
Rainbow tablePrecomputed hash → password table. Defeated by salting (adding random data before hashing).
Password complexityMix of uppercase, lowercase, digits, and special characters. Increases charset size (N).
Password lengthSingle biggest factor in entropy. Each extra character multiplies combinations by N.

Frequently asked questions

What is password entropy?

Entropy measures the unpredictability of a password in bits. It is calculated as: entropy = log₂(charset_size) × length. For example, an 8-character password using only lowercase letters has log₂(26) × 8 ≈ 37.6 bits of entropy. Higher entropy = harder to crack.

What entropy level does NIST recommend?

NIST SP 800-63B recommends at least 80 bits of entropy for sensitive accounts. For most authentication systems, a 12+ character password using mixed case, digits, and symbols is considered strong. Length matters more than complexity.

What is the difference between a brute-force and dictionary attack?

A brute-force attack tries every possible combination of characters. A dictionary attack uses word lists, common phrases, and predictable patterns. Dictionary attacks are much faster against passwords based on real words (e.g., 'Password1') even if entropy looks acceptable.

What is salting and why does it matter?

Salting adds a random string to a password before hashing it. This defeats rainbow table attacks (which rely on precomputed hash tables) and ensures that two users with the same password have different stored hashes.

What is the exam difference between Security+ and CISSP on passwords?

Security+ tests password policy basics: complexity rules, length requirements, history, lockout, and types of attacks. CISSP goes deeper into authentication frameworks, password storage (hashing + salting), entropy mathematics, and authentication protocol weaknesses.