How is password strength calculated?

Strength is measured as entropy in bits: length × log2(character pool size). The pool grows as you add lowercase (26), uppercase (26), digits (10), or special characters (32). Higher entropy means exponentially more guesses are required to crack it.

Is length or complexity more important?

Length is more impactful. Adding one character multiplies combinations by the entire pool size. A 16-character lowercase password (26¹⁶ combinations) vastly outperforms an 8-character mixed-symbol password (94⁸ combinations).

What is a GPU brute-force attack?

A GPU cluster can try billions of password guesses per second against stolen password hashes. Passwords under 60 bits of entropy may be cracked in days or hours with modern hardware.

Password Strength Checker | Crack Time

Enter Password

Show password

How Password Strength Is Measured

This checker analyzes the length and character composition of a password to calculate its entropy in bits and estimate how long it would take to crack under different attack scenarios. No data is sent to any server — everything runs in your browser.

Strength Levels by Entropy

Level	Entropy	Example
Very Weak	0–27 bits	6-digit PIN, common word
Weak	28–35 bits	8 lowercase letters
Fair	36–59 bits	10-char mixed case
Strong	60–79 bits	12-char mixed + symbols
Very Strong	80+ bits	16+ char mixed

Why Length Beats Complexity

Each additional character multiplies the total combinations by the entire pool size. An 8-character password using all 94 printable ASCII characters has 94⁸ ≈ 6 quadrillion combinations. A 16-character lowercase-only password has 26¹⁶ ≈ 4.4 × 10²² combinations — over 7 million times more. The practical lesson: use a passphrase (multiple words strung together) rather than a short symbol-heavy password.

What the Attack Speeds Mean

Online attacks are rate-limited by the server — typically 10 attempts per second. Offline attacks occur when a password database is stolen and hashed values are cracked locally. A modern GPU rig can test over 1 billion bcrypt hashes per second — or far more for weaker algorithms like MD5. Aim for at least 60 bits of entropy to resist offline GPU attacks for decades.

Frequently Asked Questions

Is it safe to type my real password here?

This tool runs entirely in your browser and sends nothing to a server. That said, it's always a good practice to test your password pattern rather than the actual password you use on important accounts.

What is password entropy?

Entropy measures unpredictability in bits. Formula: entropy = length × log₂(pool size). At 128+ bits, brute-force attacks are computationally infeasible with any current or foreseeable hardware.

Does this account for dictionary attacks?

No — this tool calculates worst-case brute-force time. A password like "football2023" has high character-count entropy but is trivially cracked by a dictionary attack. Avoid real words and predictable patterns regardless of length.

How Password Strength Is Measured

Strength Levels by Entropy

Why Length Beats Complexity

What the Attack Speeds Mean

Frequently Asked Questions

Related Tools