Password Strength Checker
Entropy bits, character set, and crack time estimate — computed locally in your browser
Strength
Fair
Entropy
53.6 bits
Higher is stronger. NIST recommends ≥ 80 bits for sensitive data.
Character set size
62 characters
Unique characters you could use based on what you've typed.
Password length
9 characters
Adding 1 character multiplies the combinations by the charset size.
Possible combinations
13537.1 trillion
Total number of possible passwords of this length with this charset.
Estimated brute-force time
19 hours
Assumes a dedicated attacker using high-end GPU hardware (~100 billion guesses/second). Real-world attacks may be slower or faster depending on hashing algorithm.
Character sets detected
Password strength concepts — Security+ & CISSP
Frequently asked questions
What is password entropy?
Entropy measures the unpredictability of a password in bits. It is calculated as: entropy = log₂(charset_size) × length. For example, an 8-character password using only lowercase letters has log₂(26) × 8 ≈ 37.6 bits of entropy. Higher entropy = harder to crack.
What entropy level does NIST recommend?
NIST SP 800-63B recommends at least 80 bits of entropy for sensitive accounts. For most authentication systems, a 12+ character password using mixed case, digits, and symbols is considered strong. Length matters more than complexity.
What is the difference between a brute-force and dictionary attack?
A brute-force attack tries every possible combination of characters. A dictionary attack uses word lists, common phrases, and predictable patterns. Dictionary attacks are much faster against passwords based on real words (e.g., 'Password1') even if entropy looks acceptable.
What is salting and why does it matter?
Salting adds a random string to a password before hashing it. This defeats rainbow table attacks (which rely on precomputed hash tables) and ensures that two users with the same password have different stored hashes.
What is the exam difference between Security+ and CISSP on passwords?
Security+ tests password policy basics: complexity rules, length requirements, history, lockout, and types of attacks. CISSP goes deeper into authentication frameworks, password storage (hashing + salting), entropy mathematics, and authentication protocol weaknesses.