Calculate password combinations, entropy bits, and brute-force crack time. Compare password length and character set impacts on security strength.
A password's security depends on two factors: length and character pool size. A password of length L drawn from a pool of P characters has P^L possible combinations. This calculator computes the total combinations, entropy in bits, and estimated brute-force crack time for any password configuration.
Select which character sets to include (lowercase, uppercase, digits, symbols), set the password length, and see how many combinations exist. The entropy comparison tables show exactly how much security you gain from adding one character or enabling symbols. The crack-time estimate assumes a specified brute-force speed (default: 1 billion attempts per second).
This tool is essential for security professionals evaluating password policies, developers designing authentication systems, and anyone wanting to understand how password parameters affect security. Check the example with realistic values before reporting. Use the steps shown to verify rounding and units. Cross-check this output using a known reference case. Use the example pattern when troubleshooting unexpected results.
Password security is often misunderstood. People overestimate the value of complexity requirements and underestimate the power of length. This calculator makes the math concrete: you can see that a 12-character lowercase password has more combinations than an 8-character mixed-case password with digits. The comparison tables make policy trade-offs immediately clear.
Total Combinations = P^L where P = character pool size, L = password length Entropy = L × log₂(P) bits Average brute-force attempts = P^L / 2 Crack time = P^L / (2 × attempts_per_second) Common pool sizes: Digits: 10, Lower: 26, Mixed alpha: 52, Alphanumeric: 62, All printable ASCII: 94
Result: 218,340,105,584,896 combinations, 47.6 bits entropy
An 8-character alphanumeric password (62^8) has about 218 trillion combinations and 47.6 bits of entropy. At 1 billion guesses/second, average crack time is about 30 hours. Adding symbols (94^8 = 6 quadrillion) would increase entropy to 52.4 bits and crack time to 36 days.
Password security is fundamentally a combinatorics problem. P^L total possibilities means an attacker must try, on average, P^L/2 passwords. The logarithmic measure (entropy = L × log₂P) lets us compare passwords across different pool sizes and lengths on a uniform scale.
Each additional character adds log₂P bits of entropy. For alphanumeric (P=62), each character adds ~5.95 bits. Going from 8 to 12 characters adds 23.8 bits — that's 2^23.8 ≈ 14.8 million times harder to crack. Mandatory symbols increase pool from 62 to 94, adding only log₂(94/62) ≈ 0.6 bits per character — negligible compared to adding length.
Online attacks (rate-limited to ~100/sec): Even a 6-char alphanumeric password survives ~18 years on average. Offline attacks (10 billion/sec): need 80+ bits for adequate security. State-level attacks (custom hardware, 10¹⁵/sec): need 100+ bits. The attack speed determines the security threshold.
10^4 = 10,000 combinations. At even 1,000 attempts per second, all PINs can be tried in 10 seconds. PINs rely on lockout mechanisms (e.g., 3 attempts then lock) rather than combinatorial security.
For random passwords, yes — each additional character multiplies security. But human-chosen long passwords often use predictable patterns ("password123456") that don't provide the full theoretical entropy.
Entropy measures the number of bits needed to represent all possible passwords. 40 bits = 2^40 ≈ 1 trillion combinations. Higher entropy means more guesses needed. It's computed as length × log₂(pool size).
Modern GPU-based cracking (using hashcat) achieves billions of hashes per second for common hash functions like SHA-256 or MD5. For bcrypt with cost factor 12, it drops to ~thousands per second.
Adding symbols increases the pool from 62 to 94 chars (51% increase). But adding 2 characters of length (keeping 62-char pool) multiplies combinations by 62² = 3,844. Length usually wins.
Randomness and length. A 16+ character random password from a 62+ character pool provides 95+ bits of entropy. Combined with a slow hash function (bcrypt, Argon2), this is effectively uncrackable even with nation-state resources.