How to Check Password Strength — Entropy & Security Guide
"Is my password strong enough?" — it's a question everyone asks but few can answer with certainty. The real measure of password strength isn't length or complexity alone — it's entropy. This guide explains how entropy-based password analysis works, what the numbers actually mean, and how to evaluate your passwords with confidence.
What Is Password Entropy?
Entropy measures the unpredictability of a password, expressed in bits. A password with 64 bits of entropy has 264 possible combinations — approximately 18.4 quintillion. The higher the entropy, the harder it is to brute-force.
The formula for password entropy is:
E = L × log₂(N)
Where E is entropy in bits, L is password length, and N is the size of the character pool.
For example, a 12-character password using lowercase letters, uppercase letters, digits, and symbols has a character pool of 94: 12 × log₂(94) ≈ 78.8 bits of entropy.
Character Pool Sizes
The character pool determines how many possible characters each position in the password can use:
| Charset | Pool Size | log₂ |
|---|---|---|
| Lowercase only (a-z) | 26 | 4.7 bits/char |
| Lower + Upper (a-zA-Z) | 52 | 5.7 bits/char |
| Letters + Digits (a-zA-Z0-9) | 62 | 5.95 bits/char |
| Full printable ASCII | 94 | 6.55 bits/char |
Entropy Benchmarks
Not all entropy levels provide equal protection. Here's what different thresholds mean against modern cracking hardware:
| Entropy | Strength | Approx. Time to Crack |
|---|---|---|
| 28 bits | Weak | Seconds (online attack) |
| 35 bits | Fair | Hours to days |
| 50 bits | Strong | Weeks to months |
| 65 bits | Very Strong | Centuries (offline) |
| 80+ bits | Extremely Strong | Beyond brute-force reach |
These estimates assume an attacker can try 10 billion hashes per second — realistic for MD5/SHA but much slower for Bcrypt (which processes only ~30,000 hashes/second on the same hardware).
Common Password Mistakes
- Using dictionary words:"Password123!" has uppercase, lowercase, digits, and a symbol — but it's still weak because it appears in cracking dictionaries.
- Simple substitutions:Replacing "a" with "@" or "o" with "0" doesn't help much. Modern crackers test these variations automatically.
- Short passwords: A 6-character password with full ASCII has only ~39 bits of entropy. Length matters more than complexity.
- Reusing passwords: Even a strong password becomes a liability if the same password is used across multiple sites.
- Predictable patterns:"Summer2024!" follows a predictable pattern that's trivially guessable.
How to Build Strong Passwords
The most effective approach is using a password manager to generate and store truly random passwords. For memorable passwords, consider the passphrase method — combining 4-6 random words:
correct-horse-battery-staple
4 random words from a 2,000-word dictionary: 4 × log₂(2000) ≈ 44 bits. Add a number or symbol to reach 50+ bits.
Try It Online
Calculate Your Password's Entropy
Use ToolStack's free entropy calculator to measure your password strength in bits. See exactly how long it would take to crack with different attack methods.
Related Tools
Password Entropy Calculator
Measure password strength by calculating entropy in bits. Find out how long your password would take to crack.
Password Generator
Generate cryptographically secure random passwords with custom length and character sets.
Bcrypt Generator
Hash passwords with Bcrypt for secure storage. Adjustable cost factors for your security needs.