PASSWORD strength

[01] What is entropy?

Entropy is a measure of unpredictability in bits. A password with N bits of entropy has 2^N equally likely possibilities. Each additional bit doubles the search space.

• 30 bits ≈ 1 billion possibilities - instant for a GPU
• 50 bits ≈ 1 quadrillion - minutes on a fast attacker
• 70 bits ≈ 1 sextillion - months to years
• 90 bits ≈ 1 octillion - centuries against current hardware
• 128 bits ≈ AES-128 keyspace - beyond foreseeable

NIST SP 800-63B recommends a minimum of 8 characters but explicitly says length beats complexity - "correct horse battery staple" (4 random words) has more entropy than "Tr0ub4dor&3" while being easier to remember. xkcd #936 is right.

[02] How this calculator estimates entropy

This is a coarse, character-class-based estimate. The character pool is determined by which classes the password uses (lowercase=26, uppercase=26, digits=10, symbols=33). Entropy = log₂(pool^length).

This overestimates for passwords with patterns (repeated chars, dictionary words, dates). Real entropy of "Password1!" is much lower than its 65-bit class-based estimate because most attackers try dictionary patterns first. For an attacker-realistic estimate, use zxcvbn; this tool's job is to give you a fast directional read.

[03] The four crack-rate scenarios

• Online (10/sec): attacker has to make HTTP requests. Rate-limited services like Gmail effectively cap here.
• Online unthrottled (1k/sec): attacker found an unprotected endpoint or credential-stuffing API.
• Offline GPU (10B/sec): attacker has the password hash and is grinding it on a single high-end GPU.
• Offline farm (1T/sec): dedicated cracking rig with 100+ GPUs, common against breached hash dumps.

[04] Privacy

The password never leaves your browser. No analytics on the input, no remote service. Safe to test real passwords.