Password Entropy Calculator
Password entropy measures how difficult a password is to guess through brute force, expressed in bits. A higher bit count means more possible combinations and a stronger password. This calculator computes entropy using the standard formula: multiply the password length by the log base 2 of the character pool size. The character pool is determined by which character types your password uses: lowercase letters (26), uppercase letters (26), digits (10), and symbols (32). Understanding entropy helps you choose passwords that resist automated cracking tools. Security professionals and system administrators use entropy as an objective measure when setting minimum password requirements. NIST Special Publication 800-63B recommends at least 64 bits for most online authentication scenarios.
Password entropy formula
Entropy (bits) = L * log2(R)
where L = password length, R = character pool size
The character pool R is the total number of unique character types used. Using lowercase only gives R = 26. Adding uppercase raises it to 52, adding digits to 62, and adding symbols to 94.
Entropy strength thresholds
- Below 28 bits: Very weak - crackable in seconds on modern hardware.
- 28 to 35 bits: Weak - suitable only for low-value temporary credentials.
- 36 to 59 bits: Reasonable - adequate for many consumer applications with rate limiting.
- 60 to 127 bits: Strong - suitable for most security-sensitive applications.
- 128 bits or above: Very strong - recommended for cryptographic keys and high-security systems.
Frequently asked questions
What is password entropy?
Password entropy is a measure of how unpredictable or random a password is, expressed in bits. Higher entropy means a stronger password that is harder to crack by brute force. It is calculated as the logarithm (base 2) of the total number of possible password combinations.
How is password entropy calculated?
Entropy (bits) = log2(R^L), which equals L * log2(R), where R is the size of the character set (pool of possible characters) and L is the password length. A password using all 95 printable ASCII characters and 12 characters long has roughly 78.9 bits of entropy.
How many bits of entropy is considered secure?
NIST guidelines (SP 800-63B) suggest that passwords used with online services should have at least 64 bits of entropy, while offline attack scenarios may require 80 bits or more. For high-security applications, 128 bits or above is recommended.
Does this calculator see my actual password?
No. All calculations run entirely in your browser using JavaScript. Your password never leaves your device and is not transmitted to any server. You can verify this by checking the page source or disconnecting from the internet before entering your password.
Why does character set size matter so much?
Each additional character type you use multiplies the possible combinations. Using only lowercase letters gives a pool of 26 characters, but adding uppercase (26), digits (10), and symbols (32) raises the pool to 94, dramatically increasing entropy even without increasing password length.
Official sources
- NIST: SP 800-63B Digital Identity Guidelines.
- CISA: Use Strong Passwords.
Reviewed by the CalculatorHub team, edited by James Graham, 14 June 2026. See our methodology.