Worked example: 16 random printable characters
The server-rendered example uses length 16, lowercase, uppercase, digits, and symbols. The character pool is 26 + 26 + 10 + 33 = 95.
Entropy is 16 x log2(95) = 105.1 bits.
Average offline guesses are 2^(105.1 - 1), or about 22,006,333,432,588,335,000,000,000,000,000 guesses.
At 10,000,000,000 guesses per second, the average offline crack time is about 10^13.8 years. The online model reaches the 100-attempt lockout limit long before the average search.
How the password strength estimate works
The manual estimate uses entropy = length x log2(character pool). The typed-password estimate detects lowercase, uppercase, digits, symbols, and non-ASCII characters locally, then applies small penalties for common words, repeats, years, sequences, and keyboard patterns.
Offline crack time vs online guessing
Offline crack time assumes an attacker can try guesses against a stolen password hash. Online guessing assumes attempts go through a login page with rate limiting, lockouts, bot checks, and monitoring. A strong service should make online guessing much slower than offline guessing.
What this calculator cannot prove
It cannot prove that a password is safe, detect all breached passwords, inspect a service hash algorithm, or account for every attacker strategy. Use it as a planning model, not a guarantee.
What to do next
Create a long unique password in a password manager, enable MFA, avoid reuse, and replace any password that appears in a breach audit or was shared across sites.