Free online password entropy calculator. Scientifically evaluate password strength using Shannon information entropy formula. Calculate entropy in bits, display character type distribution, estimate brute-force cracking time. Analyzes common patterns (repeated chars, sequences, common words). Pure frontend, passwords never leave your browser. Perfect for security assessment and account registration.
Enter Content: Type, paste, or upload the content you want to process. All processing happens locally in your browser — no data is uploaded to any server.
Configure Options: Adjust available options and settings to customize the output format.
Get Results: Copy the result or download the file once processing is complete. All processing is done locally — no data is uploaded to any server.
Password entropy measures password strength in bits — the 'amount of surprise' or unpredictability. Based on Shannon's information entropy formula: Total Entropy = length × log₂(character pool size). Example: an 8-character lowercase password (26 chars) has ~37.6 bits; a 12-character mixed-case+digits+special password (95 chars) has ~79.0 bits. Higher entropy means stronger password.
General guidelines: ① < 30 bits: Very weak — cracked instantly ② 30-40 bits: Weak — minutes to hours ③ 40-50 bits: Fair — days to months ④ 50-60 bits: Strong — years needed ⑤ 60+ bits: Very strong — uncrackable with current tech. NIST recommends at least 10 characters (~47 bits) for standard apps, 12+ characters (~57 bits) for critical systems. Note: actual security also depends on password not appearing in known breach data.
Long passwords with repeated characters (aaaaaaa), keyboard patterns (qwertyuiop), dictionary words (iloveyou123), or single character type (all lowercase) may have lower effective entropy. Reason: ① Repeated characters don't increase pool size ② Keyboard sequences are predictable patterns ③ Single type grows slowly (+4.7 bits per char for lowercase only). This tool detects such patterns and applies a penalty for a realistic entropy estimate.
Brute-force estimation assumes 100 billion guesses/second (offline) — equivalent to a modern GPU cluster (8× RTX 4090) targeting SHA256. Online attack rate (1000/s) simulates rate-limited login attempts. Note: this is a theoretical estimate — actual time depends on attacker hardware, hash algorithm (MD5 is much faster than bcrypt), and precomputed rainbow tables.
Absolutely not! Everything runs locally in your browser. Your password is only used in-memory for real-time entropy calculation and pattern analysis. No data is transmitted to any server, stored, or logged. All data disappears when you refresh or close the page. No keyboard input or clipboard data is ever collected.