The Logic Gate

logic-gate.dev

Software Security

Password Entropy Calculator

Estimate password entropy, search space, and brute-force time from length, character set size, and guess rate.

Entropy

104.87 bits

Search Space

1e31.57

Average Crack Time

5.887e+14 years

Exhaustive Crack Time

1.177e+15 years

Password Entropy Without the False Confidence

What the Calculator Is Really Checking

Password entropy is often described as a single score, but it is really a statement about a guessing game. The defender chooses from a space of possible strings. The attacker makes guesses, either online through a login form or offline against a stolen hash. Entropy measures the size of that space when the password is chosen randomly from a known character set. A 16-character random password drawn from 94 printable symbols is a very different object from a 16-character phrase made from a name, a year, and punctuation.

The useful mental model is a lottery drum, not a checklist. Length matters because every extra random character multiplies the number of possible passwords by the size of the character set. Character set size matters because a random lowercase letter only has 26 choices, while a printable ASCII character has many more. Guess rate matters because an offline attacker with hashes and GPUs can try far more candidates than a website that locks accounts or rate-limits attempts. The same password can be acceptable in one threat model and weak in another.

Password Entropy Calculator uses this core relationship: Entropy = length * log2(character set size). Exhaustive search space = 2^entropy. That formula is short enough to look harmless, but it carries the whole model. Before using the highlighted result, identify what the model includes and what it leaves out. In this tool, the visible inputs are password length, character set size, guess rate. Those inputs are not just boxes to fill in; they are the assumptions that decide whether the answer belongs to your situation.

Manual Calculation Path

A quick hand check starts by finding log2 of the character set size. Printable ASCII is about 6.55 bits per character, digits are about 3.32 bits per character, and lowercase letters are about 4.7 bits per character. Multiply that value by the number of truly random characters. If the password is not random, stop and lower your confidence. Human patterns such as words, keyboard walks, sports teams, dates, substitutions, and repeated suffixes collapse the real search space even when the displayed length looks impressive.

The calculator also states its working assumption plainly: This is a combinatorics estimate for random passwords. Human-chosen passwords, reused words, leaks, and rule-based cracking can be much weaker. That sentence is part of the calculation, not legal fine print. It tells you when the result is a quick engineering estimate and when the problem needs a datasheet, code book, lab measurement, simulation, or a more detailed model. If a real system violates the assumption, the number may still be useful as a reference point, but it should not be treated as final evidence.

A reliable hand check does not need to reproduce every displayed digit. It should confirm the direction and scale. Increase the input that should make the result larger and confirm that the result moves upward. Cut a length, rate, resistance, load, or probability in half and see whether the answer responds the way the formula says it should. That habit catches swapped units, inverted ratios, and copied values faster than staring at a finished number.

Reading the Inputs

The length input should describe the number of independently chosen characters. The character set should describe the generator, not the characters that happened to appear after the fact. A password manager that chooses from letters, digits, and symbols can justify a larger set. A person who writes a phrase and swaps an "a" for "@" cannot. The guess rate is deliberately exposed because it is the most honest way to compare online and offline risk. A slow KDF, account lockout, and monitoring all reduce the practical rate.

The field labels are deliberately plain because the calculator is meant for quick use, but plain labels still need engineering context. If a value comes from a datasheet, check whether it is typical, maximum, RMS, peak, hot, cold, no-load, full-load, or measured under a specific condition. If it comes from a test, record the setup. If it comes from a guess, mark it as a guess. The result is only as honest as the least honest input.

Where the Answer Can Mislead

The most common mistake is treating entropy as a user-facing strength meter. A password like "Tr0ub4dor&3" contains uppercase, lowercase, a number, and a symbol, but it follows a memorable pattern. Another mistake is using average crack time as a comfort blanket. Average time is half of exhaustive time only under random ordering. Real attackers sort guesses by probability, so common patterns are tried first. The calculator is strongest when it is used for generated secrets, API keys, test tokens, and policy comparisons, not for certifying a hand-made password.

The result should be read in bits first. Around 40 bits can be fine for a throttled online login but is not enough for an offline hash. Around 80 bits starts to be serious for many modern offline scenarios, assuming the secret is random and protected with a proper password hashing scheme. Very high values can still be undermined by reuse, phishing, clipboard leaks, browser sync, insecure recovery flows, or logging. Entropy is one layer of a system, not a substitute for sensible authentication design.

The supporting metrics are there to reduce that risk. They expose intermediate quantities, alternate units, or related values that make the main answer easier to challenge. When one of those supporting numbers looks strange, pause before moving on. A strange velocity, impossible current, negative margin, enormous sample size, or tiny time constant usually means the calculator is telling you something important about either the design or the way the problem was entered.

Using the Result in Real Work

In real engineering work, this calculator is useful when a team is choosing default token lengths, password-manager policies, invite codes, reset tokens, or temporary credentials. It gives a fast way to ask, "What happens if we use 12 characters instead of 16?" or "How much does dropping symbols cost?" For production systems, pair the calculation with rate limits, breached-password screening, salted password hashing, MFA, and sane recovery behavior. The math is clean, but authentication systems fail in the messy parts around it.

A good review note records the assumed generation method, the character set, the length, and the attack model. If those assumptions are missing, the entropy number is just decoration. When the calculator shows a large search space, ask whether the secret is really sampled uniformly and stored safely. When it shows a small search space, do not argue with the number; increase length, improve randomness, slow the guessing path, or change the design so the secret has less work to do.

For a clean review, save the input values, the highlighted result, the supporting metric that most constrains the design, and the next check you would run. That next check might be a bench measurement, a vendor curve, a code requirement, a production trace, a tolerance stack, or a second calculation with worst-case values. The goal is not to make the calculator look authoritative. The goal is to make the reasoning easy for another person to inspect and improve.