Calculators

Everyday utility

Password Strength and Crack-Time Calculator

Estimate entropy, offline crack time, online throttling risk, and safer password improvements without submitting the password.

When to use this

Use it before changing a real account password

This tool is for comparing password length, character set, obvious patterns, offline hash cracking, and online login throttling before you choose a stronger unique password.

Default manual result

A 16-character random printable password has about 105.1 bits and an offline average crack time of about 10^13.8 years at 10,000,000,000 guesses per second.

Check password strength

Type a password for local analysis, or leave it blank and use the manual estimate controls.

The share result excludes the typed password.

Manual character set

Character pool

95 characters

Manual estimate is active until you type a password.

Pattern penalty

0.0 bits

Typed passwords are checked for simple local patterns.

Next step

Use a manager-generated password

Long, unique, random credentials beat reused or memorable passwords.

Worked example: 16 random printable characters

The server-rendered example uses length 16, lowercase, uppercase, digits, and symbols. The character pool is 26 + 26 + 10 + 33 = 95.

Entropy is 16 x log2(95) = 105.1 bits.

Average offline guesses are 2^(105.1 - 1), or about 22,006,333,432,588,335,000,000,000,000,000 guesses.

At 10,000,000,000 guesses per second, the average offline crack time is about 10^13.8 years. The online model reaches the 100-attempt lockout limit long before the average search.

How the password strength estimate works

The manual estimate uses entropy = length x log2(character pool). The typed-password estimate detects lowercase, uppercase, digits, symbols, and non-ASCII characters locally, then applies small penalties for common words, repeats, years, sequences, and keyboard patterns.

Offline crack time vs online guessing

Offline crack time assumes an attacker can try guesses against a stolen password hash. Online guessing assumes attempts go through a login page with rate limiting, lockouts, bot checks, and monitoring. A strong service should make online guessing much slower than offline guessing.

What this calculator cannot prove

It cannot prove that a password is safe, detect all breached passwords, inspect a service hash algorithm, or account for every attacker strategy. Use it as a planning model, not a guarantee.

What to do next

Create a long unique password in a password manager, enable MFA, avoid reuse, and replace any password that appears in a breach audit or was shared across sites.

Reference data used by the defaults

Topic Reference value Source Date Note
Password length guidance NIST SP 800-63B says verifiers shall require at least 15 characters for passwords used as a single factor and at least 8 characters when passwords are used with MFA. NIST SP 800-63B As of June 20, 2026; document dated August 26, 2025 This calculator rewards length, but it does not replace service-specific policy.
Composition rules NIST says verifiers shall not impose password composition rules and should permit long passwords, printable ASCII characters, spaces, and Unicode. NIST SP 800-63B As of June 20, 2026; document dated August 26, 2025 The tool shows character-set math, but the practical advice favors long unique passwords or passphrases over forced symbol rules.
Blocklists NIST requires comparison against a blocklist that includes common, expected, or compromised passwords. NIST SP 800-63B As of June 20, 2026; document dated August 26, 2025 The client-side checker includes simple pattern penalties, but it is not a breach-password lookup.
Online throttling NIST requires rate limiting after failed authentication attempts and sets 100 consecutive failed attempts as an upper bound. NIST SP 800-63B As of June 20, 2026; document dated August 26, 2025 The online result is separated from offline cracking because server-side throttling changes the risk model.
Password storage NIST says verifiers shall store passwords in a salted, hashed form with an approved one-way key derivation function. NIST SP 800-63B As of June 20, 2026; document dated August 26, 2025 The offline guess-rate input is editable because hash algorithms, hardware, and cost factors vary widely.

FAQ

Is my password sent anywhere?

No. The typed-password check runs in browser JavaScript on this static page. The share text never includes the password.

Is the crack-time estimate exact?

No. Crack time depends on attacker hardware, hash algorithm, salt and work factor, leaks, reuse, guessing strategy, and whether the service rate-limits attempts.

Why does the calculator show offline and online risk separately?

Offline cracking assumes an attacker has a password hash and can guess quickly. Online guessing goes through a live login system, where rate limits and lockouts should stop fast guessing.

Why does NIST not require symbols?

NIST guidance rejects forced composition rules because they can produce predictable patterns. Long unique passwords, blocklists, MFA, and password managers are usually more useful.

What is the fastest way to improve a weak password?

Use a password manager to create a longer unique password, avoid reused or breached passwords, enable MFA, and make the password longer before worrying about decorative symbols.

Can this check breached passwords?

No. It includes simple local pattern penalties only. Use a trusted breach-checking workflow or password manager audit when you need compromised-password detection.

Decision path

What to do next