Calculate password/string entropy and strength metrics with detailed analysis. Part of the DevTools Surf developer suite. Browse more tools in the Security / Crypto collection.
Use Cases
Assess the true strength of a password before using it for an important account
Compare entropy across different password generation strategies
Demonstrate to users why length matters more than forced complexity
Calculate the effective entropy of an API key or secret token format
Tips
Paste the exact password or string — the calculator counts the character set in use (lowercase, uppercase, digits, symbols) to determine the pool size
The bits of entropy output is the log2 of the total possible combinations — this is the true measure of password strength, not length alone
Compare the 'online attack' vs 'offline attack' crack time estimates — online attacks are rate-limited; offline attacks (stolen hash) run at GPU speed
Fun Facts
Shannon entropy, the mathematical foundation for password entropy calculation, was introduced by Claude Shannon in his 1948 paper 'A Mathematical Theory of Communication' — arguably the founding document of information theory. Shannon originally used it to measure the information content of language.
A password with 128 bits of entropy would take longer than the age of the universe to crack at 100 billion attempts per second. In practice, 60-80 bits is sufficient for most applications — the bottleneck is usually the hashing function speed, not the attacker's computation.
NIST SP 800-63B (2017) changed password guidance significantly: it no longer recommends mandatory complexity rules (uppercase + symbol + number) because users compensate predictably (Password1!). NIST now recommends minimum length (8 chars) and checking against breach databases instead.
FAQ
How many bits of entropy is secure?
For online attacks (rate-limited to 1-100 attempts/second): 40+ bits. For offline attacks against a properly hashed password (bcrypt/Argon2): 60+ bits. For encryption keys: 128+ bits. NIST recommends 8+ character passwords checked against breach databases rather than specific entropy targets.
Does adding symbols always increase entropy?
Adding a symbol increases the character pool (typically from 62 to 94 characters), adding log2(94/62) ≈ 0.6 bits per character. For a 12-character password, that is about 7 bits — less than adding 2 characters. Length is more efficient than complexity.
What is the difference between password strength and password entropy?
Entropy is a mathematical measure of randomness (bits). Password strength ratings (weak/strong/very strong) are UI heuristics that approximate entropy but incorporate pattern recognition (dictionary words, keyboard walks, common substitutions). Entropy is more precise.
