How to Check Password Strength — Entropy & Security Guide

"Is my password strong enough?" — it's a question everyone asks but few can answer with certainty. The real measure of password strength isn't length or complexity alone — it's entropy. This guide explains how entropy-based password analysis works, what the numbers actually mean, and how to evaluate your passwords with confidence.

What Is Password Entropy?

Entropy measures the unpredictability of a password, expressed in bits. A password with 64 bits of entropy has 264 possible combinations — approximately 18.4 quintillion. The higher the entropy, the harder it is to brute-force.

The formula for password entropy is:

E = L × log₂(N)

Where E is entropy in bits, L is password length, and N is the size of the character pool.

For example, a 12-character password using lowercase letters, uppercase letters, digits, and symbols has a character pool of 94: 12 × log₂(94) ≈ 78.8 bits of entropy.

Character Pool Sizes

The character pool determines how many possible characters each position in the password can use:

CharsetPool Sizelog₂
Lowercase only (a-z)264.7 bits/char
Lower + Upper (a-zA-Z)525.7 bits/char
Letters + Digits (a-zA-Z0-9)625.95 bits/char
Full printable ASCII946.55 bits/char

Entropy Benchmarks

Not all entropy levels provide equal protection. Here's what different thresholds mean against modern cracking hardware:

EntropyStrengthApprox. Time to Crack
28 bitsWeakSeconds (online attack)
35 bitsFairHours to days
50 bitsStrongWeeks to months
65 bitsVery StrongCenturies (offline)
80+ bitsExtremely StrongBeyond brute-force reach

These estimates assume an attacker can try 10 billion hashes per second — realistic for MD5/SHA but much slower for Bcrypt (which processes only ~30,000 hashes/second on the same hardware).

Common Password Mistakes

  • Using dictionary words:"Password123!" has uppercase, lowercase, digits, and a symbol — but it's still weak because it appears in cracking dictionaries.
  • Simple substitutions:Replacing "a" with "@" or "o" with "0" doesn't help much. Modern crackers test these variations automatically.
  • Short passwords: A 6-character password with full ASCII has only ~39 bits of entropy. Length matters more than complexity.
  • Reusing passwords: Even a strong password becomes a liability if the same password is used across multiple sites.
  • Predictable patterns:"Summer2024!" follows a predictable pattern that's trivially guessable.

How to Build Strong Passwords

The most effective approach is using a password manager to generate and store truly random passwords. For memorable passwords, consider the passphrase method — combining 4-6 random words:

correct-horse-battery-staple

4 random words from a 2,000-word dictionary: 4 × log₂(2000) ≈ 44 bits. Add a number or symbol to reach 50+ bits.

Try It Online

Calculate Your Password's Entropy

Use ToolStack's free entropy calculator to measure your password strength in bits. See exactly how long it would take to crack with different attack methods.

Related Tools