Free · Fast · Privacy-first

How Strong Is My Password? Understanding Password Strength

Password strength is not a vague feeling, it is a calculation grounded in mathematics and a clear threat model.

Plain English explanation of password entropy

🔒

Crack time estimates for common password types

The factors that actually matter for password security

Actionable guidance for stronger passwords

Cost
Free forever
Sign-up
Not required
Processing
In your browser
Privacy
Files stay local
FreeNo signupWhite-label

Add this Password Generator to your website

Drop the Password Generator into any page — blog post, product docs, intranet, school portal — with a single line of HTML. Your visitors get the full tool, processed entirely in their browser. No backend, no uploads, no signup.

  • Files stay 100% in the visitor's browser
  • Responsive — adapts to any container width
  • Free forever, no API key needed

Embed code

<iframe
  src="https://www.fixtools.io/utilities/password-generator?embed=1"
  width="100%"
  height="780"
  frameborder="0"
  style="border:0;border-radius:16px;max-width:900px;"
  title="Password Generator by FixTools"
  loading="lazy"
  allow="clipboard-write"
></iframe>

Attribution-friendly: a small "Powered by FixTools" link appears in the embed footer.

Calculating Password Strength: Entropy, Crack Times, and What Actually Matters

Password strength is measured in bits of entropy, a single number that represents how unpredictable a password is to an attacker who knows the construction rules but not the specific value. The formula is straightforward. Entropy equals the base two logarithm of S raised to the power L, where S is the size of the character set the password was drawn from and L is the length of the password in characters. A password drawn from lowercase letters only, where S equals twenty six, at eight characters in length has approximately thirty seven point six bits of entropy. A password drawn from all ninety four printable ASCII characters at sixteen characters in length has approximately one hundred and five bits of entropy. The security difference between these two examples is enormous, because each additional bit of entropy doubles the number of guesses an attacker must make to find the password by brute force. Moving from thirty seven bits to one hundred and five bits multiplies the work factor by roughly two hundred and ninety five quintillion, a number so large that it ceases to have an intuitive meaning.

Crack time estimates depend heavily on the specific attack scenario you are defending against, and treating crack times as a single universal number is a common mistake that leads to wrong conclusions. In an online attack, where an attacker is guessing passwords through a real login form that imposes rate limiting, account lockouts, CAPTCHA challenges, and similar friction, even a relatively short password may be practically safe because the maximum attempt rate is bounded at a few attempts per second at best. In an offline attack, where the attacker has obtained a leaked hash of your password through a database breach, modern graphics processing unit clusters can test billions of candidate passwords per second with no rate limiting whatsoever. NIST SP 800-63B and most serious security researchers calibrate their strength recommendations around offline attack resistance because that is the scenario that makes bulk credential breaches dangerous. For offline attack resistance, a minimum of eighty bits of entropy is the widely cited threshold for a password to be considered strong.

Beyond raw entropy, practical password strength also depends critically on whether the password was constructed using patterns that attackers know about and search for first. A password like Summer2024! has eleven characters and includes uppercase, lowercase, digits, and a symbol, which superficially looks like it should be strong. Its actual security against a realistic attacker is far lower than the naive entropy calculation suggests, because it follows a pattern of season followed by year followed by symbol that appears in every modern password cracking dictionary and rule set. Password crackers run pattern based attacks long before they fall back to pure brute force, and patterns based on dates, names, common substitutions like at sign for letter a, and predictable structural rules are exhausted within seconds on commodity hardware. A truly random twelve character password is dramatically more resistant to cracking than a fourteen character password constructed from a personal phrase, even though the longer password looks superficially stronger.

A final consideration that often goes unmentioned is the role of prior breach exposure. A password that has appeared in a published data breach, even one from years ago, is now in every serious password cracker dictionary. From the attacker perspective, the password is functionally equivalent to a list lookup rather than a search problem. A previously breached password with twenty characters of mixed types is cracked the instant the attacker reaches the leaked credential dictionary in their attack pipeline, which happens within the first few seconds of any modern offline attack. The HaveIBeenPwned Passwords service lets you check whether a specific password has appeared in known breaches without transmitting the full password, and any positive match means the password should be retired immediately regardless of how strong it looks on paper.

How to use this tool

💡

After reading this guide, use the FixTools Password Generator to create passwords that meet the strength criteria described here.

How It Works

Step-by-step guide to how strong is my password? understanding password strength:

  1. 1

    Calculate your password's character space

    Determine the character set size the password was drawn from. Lowercase letters only is twenty six characters. Adding uppercase brings it to fifty two. Adding digits brings it to sixty two. Adding common symbols brings it to ninety four. The larger the character space and the longer the password, the more total possible combinations exist and the harder the password is to brute force.

  2. 2

    Estimate entropy in bits

    Apply the formula entropy equals log base two of character space raised to the power length. Sixty bits is acceptable for most online accounts protected by rate limiting. Eighty bits is the widely cited threshold for offline attack resistance. One hundred bits or more provides a substantial margin against foreseeable advances in cracking hardware over the next decade.

  3. 3

    Check for known patterns

    Inspect the password for predictable structural patterns such as dictionary words, dates, name plus number combinations, sequential digits, or letter for symbol substitutions like at sign for a. If any are present, the real security is far lower than the entropy calculation suggests, because pattern based attacks exhaust these constructions in seconds on modern hardware before pure brute force begins.

  4. 4

    Generate a replacement if needed

    If your analysis reveals that an existing password falls short on either entropy or pattern resistance, replace it. Use the FixTools Password Generator to create a fresh credential of adequate length drawn from a wide character pool by cryptographic randomness, then update the corresponding account and save the new value into your password manager.

Real-world examples

Common situations where this approach makes a real difference:

Security audit preparation

A security conscious user preparing to conduct a personal credential audit reads this guide first so they have a concrete framework for categorising their existing passwords. They use the entropy formula to estimate the true strength of each stored password, sort the list by weakness, and prioritise replacing the lowest entropy credentials on the highest value accounts before working through the long tail of less critical logins.

Team security training

A security manager preparing a fifteen minute lunch and learn session on password hygiene uses the entropy framework from this guide as the backbone of their explanation. The plain English version of bits of entropy and crack time gives non technical staff a mental model that lets them evaluate their own passwords confidently, rather than walking away with a vague impression that longer is better but no concrete number to aim for.

Password policy design

A developer designing the password requirements for a new application uses this guide to set policy based on actual entropy targets such as a minimum of sixty bits combined with a breach list check, rather than copying the arbitrary complexity rules that other applications use. The result is a policy that delivers real security without frustrating users into adopting predictable patterns just to satisfy a checklist.

When to use this guide

Read this guide to understand whether your existing passwords are truly strong, or before creating important passwords to know what to aim for.

Pro tips

Get better results with these expert suggestions:

1

Run a personal password audit once a year

Set a recurring annual reminder to review every password stored in your manager and flag any that are shorter than sixteen characters, reused across multiple sites, or older than two years. Prioritise replacing the credentials for email, banking, and the password manager itself first because those accounts gate access to everything else, then work through the rest in descending order of value. A systematic annual review prevents the slow drift of credential hygiene that otherwise accumulates unnoticed over years.

2

Check passwords against the HaveIBeenPwned database

The HaveIBeenPwned Passwords API lets you check whether a specific password has appeared in known data breaches without transmitting the full password to the service. The API uses a k anonymity model where only the first five characters of the password hash are sent, and the service returns all matching hash suffixes for you to compare locally. If a password you use appears in the breach database, replace it immediately regardless of how strong its entropy looks, because exposure in a breach is independent of strength.

3

Treat visual strength meter scores with scepticism

Most password strength meters embedded in sign up forms measure only the most superficial properties such as length, character type variety, and the presence of obvious dictionary words. They do not detect subtle patterns like season plus year plus symbol or name plus birth year constructions that are weak in practice but score high on these meters. A green strength bar does not guarantee genuine strength, and only true randomness combined with adequate length actually delivers the security the meter implies.

4

Design password policies around entropy, not complexity rules

If you have responsibility for setting password requirements in an application or organisation, base your policy on minimum entropy targets such as sixty or eighty bits combined with a breach list check, rather than arbitrary rules like must contain at least one symbol. NIST SP 800-63B explicitly recommends against complexity rules and in favour of length minimums combined with breach checks. Complexity rules frustrate users into predictable workarounds without meaningfully improving security in any measurable way.

5

Length is the most important factor

Each additional character of length increases the number of possible passwords exponentially. A 20-character lowercase-only password is vastly stronger than an 8-character password with every symbol type.

6

Avoid substitutions and patterns

"P@ssw0rd" is not strong. Attackers know about substitution patterns (@ for a, 0 for o, 3 for e) and they are included in all modern password dictionaries. These modifications provide almost no additional security.

7

Complexity alone is not enough without length

An 8-character password that uses all character types can be cracked in hours with modern hardware. The same password extended to 16 characters would take decades. Always prioritise length first, then complexity.

FAQ

Frequently asked questions

Password entropy is a quantitative measure of how unpredictable a password is to an attacker who knows the construction rules but not the specific value. It is expressed in bits and calculated as the base two logarithm of the character set size raised to the power of the password length. Higher entropy means more possible passwords and a correspondingly harder brute force search problem. Entropy is the most useful single number for comparing the strength of two random passwords of different lengths or character sets.
The honest answer is that it depends entirely on the attacker hardware and on whether they have a hashed version of your password from a database breach or must guess through a live login form. Online attacks limited by network round trips and account lockouts make even moderately short passwords viable because the attacker cannot exceed a few attempts per second. Offline attacks on leaked hashes using modern GPU clusters can test billions of candidates per second, which makes anything below eighty bits of entropy vulnerable within feasible timeframes.
Not necessarily, and over reliance on strength meters is one of the most common reasons users end up with weak passwords that they believe are strong. Most strength meters apply simple rules such as length greater than eight, contains a symbol, contains a digit, which are easily satisfied by weak passwords like P at sign ssword one. True strength requires both adequate length and genuine randomness, properties that simple visual meters cannot detect reliably. Only cryptographic generation gives a strong guarantee.
Strong passwords prioritise entropy through length and randomness, with no concern for whether a human can recall the value. Memorable passwords prioritise human recallability, often at the cost of patterns that reduce real security. Passphrases are the most effective tool when you need both properties simultaneously, because they achieve high entropy through the number and randomness of word choices while remaining memorable through the natural structure of words as memory chunks.
For most online accounts protected by reasonable rate limiting and account lockouts, sixty bits provides adequate protection against opportunistic attacks. For offline attack resistance in the scenario where a database breach exposes a hashed version of your password, eighty or more bits is the widely cited threshold and is the right target for any credential whose hash might end up in a leak. For long term security of critical accounts such as your password manager master password, aim for one hundred bits or more.
Modern password cracking tools apply rule based attacks long before they attempt pure brute force. The rule sets include dictionary words, common phrases, number substitutions, predictable suffixes such as exclamation marks and digits, and combinations of all of these patterns. A twenty character password built from real words and predictable constructions can be cracked in seconds by a rule based attack despite its apparent length. Genuine randomness rather than length alone is what defeats these attacks at any scale.
Yes, dramatically, because a password manager removes the memorisation constraint that otherwise forces people to create passwords they can recall. Without a manager, even motivated users tend to create passwords with internal patterns that aid memory at the cost of true strength. With a manager, you can use fully random twenty character passwords for every individual account because you never need to type them from memory, and the manager handles autofill across all your devices.
A breached password is one that has appeared in a published data breach and is therefore in every serious password cracker dictionary. From the attacker perspective the password is now a list lookup rather than a search problem, which makes its effective strength essentially zero regardless of its original entropy. A long password that was breached in a previous hack is instantly crackable because the breach dictionary is the first thing every modern attack tries before falling back to brute force.
It helps far less than people expect because the gain in entropy from a larger character set scales linearly with length, whereas the loss from short length compounds exponentially. An eight character password using all ninety four printable characters has roughly fifty two bits of entropy, which is well below the eighty bit threshold for offline attack resistance. The same password extended to sixteen characters reaches one hundred and five bits and is comfortably strong, illustrating that length is the dominant factor.
A long lowercase only password is generally safer than a short complex one if both follow random construction. A twenty character lowercase only password has approximately ninety four bits of entropy. An eight character password using all ninety four printable characters has only fifty two bits. The lowercase password is more than two to the power forty times harder to crack despite using a smaller character set, because the length advantage dwarfs the character set disadvantage in any realistic comparison.

Ready to get started?

Open the full Password Generator — free, no account needed, works on any device.

Open Password Generator →

Free · No account needed · Works on any device