Password Character-Set Entropy Estimator

Estimate the brute-force search space implied by a password's length and detected character classes.

⚠️ Estimator only, not a real security audit. Entropy assumes uniform random selection from character classes (not how humans actually choose passwords). Crack time assumes 1e10 guesses/sec and half-keyspace search. Real password risk depends on predictability, dictionary attacks, breached-password lists, and actual attacker resources. A password with high entropy here can still be weak if predictable.

Last updated: March 2026 | By Patchworkr Team

Entropy Analyzer

Password (not saved)

Your password is evaluated locally and never transmitted or stored.

What is Password Entropy?

Password entropy is a measure of the randomness and strength of a password, expressed in bits. It quantifies how many possible passwords could exist given the character set and length. Higher entropy means more possible passwords and longer attack times for brute-force cracking.

Entropy is calculated using the formula: Entropy = log₂(pool_size^password_length), where pool_size is the number of characters available (lowercase, uppercase, digits, symbols) and password_length is the number of characters in the password. A password with 80 bits of entropy is considered strong protection against modern attacks.

However, entropy alone doesn't determine security. Dictionary attacks, pattern recognition, and leaked password databases can crack weak passwords faster than entropy suggests. True entropy requires randomness; predictable passwords (like "Password123") have much less effective strength despite normal entropy calculations.

How to Calculate Password Entropy

Character Pool Size

The calculator counts which character types are present:

Lowercase (a-z): +26 characters

Uppercase (A-Z): +26 characters

Digits (0-9): +10 characters

Special chars: +32 characters (!, @, #, $, etc.)

Entropy Formula

Entropy = log₂(pool_size^length)

This equals the logarithm (base 2) of all possible password combinations. Each additional bit of entropy doubles the attack time.

Entropy Strength Guidelines

28-39 bits: Very weak (cracks in seconds to hours)
40-59 bits: Weak (cracks in days to weeks)
60-79 bits: Moderate (cracks in months to years)
80+ bits: Strong (cracks in centuries or more)

Example Calculation

Calculate entropy for "MyP@ssw0rd!":

Password:

MyP@ssw0rd!

Length:

11 characters

Character Types:

✓ Uppercase (M, P)

✓ Lowercase (y, s, s, w, r, d)

✓ Digits (0)

✓ Special (@, !)

Pool Size:

26 + 26 + 10 + 32 = 94 characters

Entropy:

log₂(94^11) ≈ 66 bits

Assessment:

Strong 👍

~94 quadrillion combinations, years to crack

Frequently Asked Questions

Is my password safe if entropy is high?

High entropy helps, but it's not the only factor. Leaked passwords, social engineering, malware, and password reuse are common attacks. Use unique, random passwords everywhere.

Does 80 bits guarantee security?

80 bits protects against brute-force attacks using current technology. However, quantum computers could change this. NIST currently recommends 112+ bits of entropy.

Why does length matter more than complexity?

Each character adds exponential strength. A 12-char password with lowercase is stronger than 8-char with all character types. Length is the primary entropy driver.

Should I change passwords periodically?

Modern security science says no, unless compromised. Focus on strong unique passwords and multi-factor authentication instead of periodic changes.

What about password managers?

Password managers are excellent—they enable long, random, unique passwords for every account. Use a strong master password (60+ bits entropy minimum).