Password Entropy Calculator

Measure the true strength of any password by calculating its entropy in bits and estimating how long it would take to crack at various attack speeds. All analysis happens locally in your browser — your password is never sent anywhere.

Enter Password to Analyze

What Is Password Entropy?

Password entropy is a mathematical measure of how unpredictable a password is, expressed in bits. Higher entropy means more possible combinations an attacker must try, making the password harder to crack. The formula is straightforward: entropy = length × log₂(pool size), where the pool size is the total number of possible characters.

Understanding entropy helps you make informed decisions about password policies for your home WiFi network, your router admin password, and any other credentials you manage. For generating strong passwords automatically, try our Password Generator.

Character Pool Sizes Explained

The character pool is the total set of characters your password could use. A larger pool dramatically increases entropy. Here is how each character type contributes:

Character Type	Pool Size	Examples	Entropy per Character
Lowercase only	26	a-z	4.70 bits
+ Uppercase	52	a-z, A-Z	5.70 bits
+ Digits	62	a-z, A-Z, 0-9	5.95 bits
+ Symbols	94	a-z, A-Z, 0-9, !@#$...	6.55 bits
+ Space	95	All printable ASCII	6.57 bits

Pro Tip: Adding just one character type to your pool can be more impactful than adding extra length. A 10-character password using all four types (62 bits) is stronger than a 12-character lowercase-only password (56 bits). For your WPA WiFi password, use a mix of all character types or a long passphrase.

Entropy Thresholds and Recommendations

Different security contexts require different entropy levels. Here are the recommended minimums based on the type of account or system you are protecting:

Entropy (bits)	Rating	Suitable For
< 28	Very Weak	Nothing — easily cracked in seconds
28-35	Weak	Throwaway accounts with no sensitive data
36-59	Fair	Standard websites with rate limiting
60-79	Strong	Email, banking, router admin
80+	Very Strong	Master passwords, encryption keys, VPN configurations

How Attackers Crack Passwords

Understanding attack methods helps you appreciate why entropy matters. Attackers use several strategies, each with different speeds:

Brute force — Trying every possible combination. This is where entropy directly determines crack time.
Dictionary attacks — Using lists of common passwords. The default router passwords list is a prime example of a dictionary that attackers check first.
Rule-based attacks — Applying common transformations (P@ssw0rd instead of password). These reduce effective entropy.
Rainbow tables — Precomputed hash lookups. Only work against unsalted hashes.
Credential stuffing — Reusing leaked passwords from data breaches on other sites.

For your network security, the weakest link is often the password itself. Use our WiFi Password Checker to verify your network credentials meet minimum standards.

Note: Entropy calculations assume the password is truly random. Human-chosen passwords are typically much weaker than their theoretical entropy suggests because humans follow patterns. A password like "Summer2024!" has a theoretical entropy of ~72 bits but is trivially guessed by rule-based attacks. Use a password generator for genuinely random credentials.

Passphrase vs Password Entropy

Passphrases — multiple random words strung together — offer an alternative approach to achieving high entropy while remaining memorable. A four-word passphrase from a 7,776-word dictionary (like Diceware) provides about 51 bits of entropy, while six words give approximately 78 bits.

# Example passphrase entropy calculation
# Dictionary: 7,776 words (Diceware)
# 4 words: log2(7776^4) = 51.7 bits
# 5 words: log2(7776^5) = 64.6 bits
# 6 words: log2(7776^6) = 77.5 bits

Passphrases are excellent for WiFi passwords where you need to type them on multiple devices. When enabling WPA3 on your router, a strong passphrase provides both security and convenience.

Improving Your Password Security

Based on the entropy analysis, here are actionable steps to strengthen your overall security posture:

Use a password manager — Generate and store unique random passwords for every account.
Enable two-factor authentication — Even strong passwords can be leaked. 2FA adds another layer.
Rotate critical passwords — Change your router admin password periodically and after any suspected breach.
Check for breaches — Verify your credentials have not appeared in data breaches.
Secure your network — Use WPA3 or WPA2-AES for WiFi, DNS over HTTPS for encrypted DNS, and a VPN on your router for full traffic encryption.
Separate networks — Put IoT devices on a separate network so a compromised smart device cannot reach your main machines.

Key Takeaways

Password entropy is calculated as length × log₂(character pool size), measured in bits.
Aim for at least 60 bits of entropy for important accounts and 80+ bits for master passwords.
Mixing character types (uppercase, lowercase, digits, symbols) dramatically increases pool size.
Human-chosen passwords are weaker than their theoretical entropy due to predictable patterns.
Passphrases of 5+ random words provide strong entropy with better memorability.
Use our Password Generator to create truly random, high-entropy passwords.

Video: How Password Cracking Works

Related Guides

Frequently Asked Questions

What is a good password entropy?

For general online accounts with rate limiting, 40-60 bits is acceptable. For important accounts like email and banking, aim for 60-80 bits. For master passwords and encryption keys, target 80+ bits. Use our calculator above to check your specific passwords.

Does password length matter more than complexity?

Both matter, but length has a more predictable impact. Each additional character multiplies the total combinations by the pool size. However, mixing character types increases the pool size, which also multiplies per character. The ideal approach is to use both length and complexity. A 16-character mixed password is far stronger than either an 8-character complex one or a 20-character lowercase one.

Is my password sent to a server for analysis?

No. All entropy calculations happen entirely in your browser using JavaScript. Your password never leaves your device. You can verify this by disconnecting from the internet and using the tool offline.

Why does the crack time differ from other tools?

Different tools use different assumptions for attack speed. Our calculator shows multiple attack scenarios from slow online attacks (1,000 guesses/second) to theoretical supercomputer-level speeds (1 trillion guesses/second). Real-world crack times depend on the specific hashing algorithm used, the attacker's hardware, and whether salting is applied.

How does this differ from password strength checkers?

Most password strength meters use heuristic rules (minimum 8 characters, must include a number, etc.). Entropy calculation is a more rigorous mathematical approach that quantifies the actual search space an attacker must exhaust. However, entropy assumes random generation — human patterns reduce real-world security below theoretical entropy.

What entropy does my WiFi password need?

For WPA2/WPA3 WiFi passwords, aim for at least 60 bits of entropy. Since WiFi passwords can be attacked offline after capturing a handshake, you need higher entropy than online-only accounts. A 12+ character mixed password or a 5+ word passphrase meets this threshold. Check our WPA2 vs WPA3 guide for more details.

About Tommy N.

Tommy is the founder of RouterHax and a network engineer with 10+ years of experience in home and enterprise networking. He specializes in router configuration, WiFi optimization, and network security. When not writing guides, he's testing the latest mesh WiFi systems and helping readers troubleshoot their home networks.