Password Entropy Calculator
Generate results with the Password Entropy — set your parameters and get cryptographically-random output instantly. Free, runs in browser, no data stored.
Reviewed by Daniel Agrici, Founder & Lead Developer
Formula
H = L * log2(N)
Where H = entropy in bits, L = password length (number of characters), and N = size of the character set (number of possible characters per position). Higher entropy means exponentially more combinations an attacker must try.
Worked Examples
Example 1: Random 16-Character Password
Problem:Calculate the entropy of a 16-character password using all ASCII printable characters (95 possible characters per position).
Solution:Entropy H = L * log2(N) = 16 * log2(95) = 16 * 6.57 = 105.1 bits\nPossible combinations = 95^16 = 4.40 * 10^31\nAt 1 billion guesses/second: time = 4.40 * 10^31 / (2 * 10^9) = 2.20 * 10^22 seconds = 697 trillion years
Result:Entropy: 105.1 bits | Strength: Very Strong | Crack Time: 697 trillion years
Example 2: 8-Character Lowercase Password
Problem:Calculate the entropy of an 8-character password using only lowercase letters (26 characters).
Solution:Entropy H = L * log2(N) = 8 * log2(26) = 8 * 4.70 = 37.6 bits\nPossible combinations = 26^8 = 208,827,064,576\nAt 1 billion guesses/second: time = 208,827,064,576 / (2 * 10^9) = 104.4 seconds
Result:Entropy: 37.6 bits | Strength: Weak | Crack Time: 1.7 minutes
Frequently Asked Questions
What is password entropy and why does it matter for security?
Password entropy is a mathematical measure of how unpredictable a password is, expressed in bits. Higher entropy means more possible combinations an attacker must try during a brute-force attack. Entropy is calculated using the formula H = L * log2(N), where L is the password length and N is the size of the character set used. A password with 40 bits of entropy has 2^40 (about 1 trillion) possible combinations. Security experts generally recommend at least 60 bits of entropy for important accounts. Understanding entropy helps you create passwords that are genuinely secure rather than ones that merely appear complex but follow predictable patterns.
How does character set size affect password strength?
The character set size (also called the alphabet size) dramatically impacts password entropy. Using only lowercase letters gives you 26 possible characters per position. Adding uppercase letters doubles it to 52. Including digits raises it to 62, and adding special characters pushes it to 95 printable ASCII characters. Each additional character class increases the bits per character from about 4.7 (lowercase only) to 6.57 (full ASCII). For a 12-character password, the difference between lowercase-only and full ASCII is roughly 23 bits of entropy, which translates to about 8 million times more possible combinations. This is why password policies often require mixed character types.
How long should a password be for adequate security?
Password length is the single most important factor in entropy because it has an exponential effect on the number of combinations. A 12-character password using the full ASCII set has about 79 bits of entropy, while an 8-character password with the same set has only 53 bits. NIST currently recommends a minimum of 8 characters, but most security professionals suggest at least 12 to 16 characters. For sensitive accounts like email or banking, 16 or more characters provide excellent protection. Passphrases of four to six random words can achieve 60 to 80 bits of entropy while being much easier to remember than random character strings.
What is the difference between entropy and password strength?
Entropy measures theoretical unpredictability assuming an attacker knows the password generation method but not the specific password. Password strength in practice also depends on factors entropy does not capture, such as whether the password appears in leaked databases, uses common substitution patterns like replacing the letter a with the at symbol, or contains personal information. A password like P@ssw0rd has decent theoretical entropy but is extremely weak in practice because it appears in virtually every password cracking dictionary. True strength combines high entropy with uniqueness and avoidance of predictable patterns and known compromised passwords.
References
Reviewed by Daniel Agrici, Founder & Lead Developer · Editorial policy