Password Strength Checker — Entropy, Crack Time and Security Analysis

Our free password strength checker analyses any password and calculates its entropy in bits, estimated crack time at 1 trillion guesses per second (representing modern GPU-based cracking rigs), and provides specific recommendations for improvement. All analysis runs in your browser — your password is never transmitted or stored.

How Password Entropy is Calculated

Entropy measures the unpredictability of a password in bits. It is calculated as: Entropy = log₂(charset size) × password length. The charset size depends on which character types you use:

• Numbers only (0-9): charset of 10 → 3.32 bits per character
• Lowercase only (a-z): charset of 26 → 4.70 bits per character
• Alphanumeric (a-z A-Z 0-9): charset of 62 → 5.95 bits per character
• All printable ASCII: charset of 94 → 6.55 bits per character

A 16-character password using all character types has approximately 104 bits of entropy — requiring 2¹⁰⁴ guesses on average, which is computationally infeasible even for nation-state attackers.

How Fast Can Passwords Be Cracked?

• A modern consumer GPU (RTX 4090) can crack MD5 hashes at approximately 164 billion per second
• A cloud cracking cluster can achieve 1+ trillion guesses per second
• An 8-character password, even with all character types, can be cracked in under an hour with modern hardware
• A 12-character password takes approximately 34,000 years at 1 trillion/second
• A 16-character password would take longer than the age of the universe

Why Length Matters More Than Complexity

A 20-character lowercase-only password has more entropy than a 10-character password using all character types. NIST (National Institute of Standards and Technology) now recommends prioritising password length over complexity rules. Their latest guidelines (NIST SP 800-63B) recommend allowing long passphrases, removing mandatory complexity rules, and only requiring changes when compromise is suspected.