MayoCalc / Tech

Password Strength Calculator

See how long it would take a computer to crack your password.

Your password never leaves your browser. Nothing is sent to any server.
Time to Crack
-
-
Length
0
Character Pool
0
Combinations
0
Disclaimer: This tool is provided for general educational and entertainment purposes only. Results are estimates and should not be relied upon for any critical decision. Neither MayoCalc nor Cook Media Systems assumes any liability for consequences arising from the use of this tool. By using this site, you agree to our Terms of Service and Disclaimer.

How Password Strength Is Measured

Password strength is measured in bits of entropy, which represents the number of guesses an attacker would need in a brute-force attack. Each bit of entropy doubles the number of possible passwords. A password with 40 bits of entropy has 2^40 (about 1 trillion) possible combinations. A password with 80 bits has 2^80 (about 1.2 x 10^24) combinations. Modern security standards recommend at least 60-80 bits of entropy.

Entropy = log2(Character Set Size ^ Password Length)
Example: 12 chars from 95 possible = log2(95^12) = 78.8 bits

How to Use This Calculator

Type or paste a password and the calculator instantly shows its entropy in bits, the estimated time to crack it at various attack speeds (from a personal computer to a nation-state attacker), the character set detected, and a strength rating (very weak to very strong). The password never leaves your browser; all analysis is done locally.

What Weakens a Password

Common words: "password123" can be cracked in milliseconds because it appears in every dictionary attack list. Personal information: Birthdates, pet names, and addresses are easily guessed by attackers who know you. Simple patterns: "qwerty," "123456," and keyboard walks are in every attack database. Short length: An 8-character password using all character types has only 47 bits of entropy, which modern GPUs can crack in hours. The Password Generator creates truly random passwords that avoid all these weaknesses.

Password Strength FAQ

How long does it take to crack my password?
It depends on the attack speed. A single modern GPU can try about 10 billion hashes per second against common hash types. At that speed, an 8-character random password (all types) takes about 2 hours. A 12-character password takes about 300 years. A 16-character password takes millions of years. Length is your best defense.

Password Security Fundamentals

Password strength is measured in bits of entropy, which represents the number of possible combinations an attacker must try. A truly random 8-character password using uppercase, lowercase, digits, and symbols has about 52 bits of entropy (approximately 6.6 quadrillion combinations). However, humans rarely create truly random passwords: common substitutions (@ for a, 3 for e, ! at the end) are well-known to attackers and add minimal security. Modern best practice recommends passphrases of 4+ random words (e.g., "correct horse battery staple"), which are both stronger and easier to remember than complex short passwords. A 4-word passphrase from a 7,776-word list provides approximately 51 bits of entropy. Password managers are the most practical solution for maintaining unique, strong passwords across hundreds of accounts.

How Password Cracking Works

Modern password cracking uses GPUs (graphics processing units) that can test billions of password hashes per second. A consumer-grade GPU can attempt approximately 10 billion MD5 hashes per second. Against this capability: a 6-character lowercase password (308 million combinations) falls in under a second, an 8-character mixed-case password (218 billion combinations) falls in about 22 seconds, and a 12-character password with all character types (475 trillion combinations) takes approximately 13 hours. Using a slow hashing algorithm like bcrypt or Argon2 reduces cracking speed by a factor of 10,000 or more.

Password patterns dramatically reduce effective entropy. Adding "123" to the end, capitalizing only the first letter, or substituting "@" for "a" are all patterns that cracking tools test automatically. The password "P@ssw0rd123!" has high character diversity but is trivially crackable because it follows predictable substitution patterns. Truly random passwords generated by this tool or a password manager avoid these exploitable patterns entirely.

Current Best Practices

NIST (National Institute of Standards and Technology) updated its password guidelines in 2020, recommending: minimum 8 characters (12+ preferred), no forced composition rules (e.g., "must include a symbol"), no periodic password rotation (which encourages weak incremental changes), and screening against lists of known compromised passwords. Passphrases (4-6 random words like "correct horse battery staple") offer high entropy with better memorability than random character strings. The Password Generator creates both random character passwords and passphrase-style passwords.

Related Calculators

Percentage Calculator

Quick math

Age Calculator

Exact age

Salary Calculator

Pay conversion