search

Found

info Overview

Measure password length, charset pool, brute-force bits and Shannon entropy, then estimate crack time under online, offline-KDF and GPU attacker models.

📘 How to Use

  1. Type the password you want to assess into the input field
  2. Pick an attacker model (online, offline KDF, or GPU)
  3. Read the charset pool, Shannon entropy, and estimated crack time

Password Shannon Entropy Calculator

Input is processed locally in your browser.

※ Brute-force entropy = length × log2(charset pool size). Shannon entropy reflects per-character information content from observed frequencies.

※ These are approximations and ignore dictionary, leak-based and personal-data attacks. In production, combine a password manager with multi-factor authentication.

Length
0 chars
Charset pool
0 symbols
Brute-force entropy
0 bits
Shannon (per char)
0.00 bits/char
Shannon (total)
0 bits

Estimated crack time

Detected character classes

a-z A-Z 0-9 !@# U+

grid_view Related

Article

Password Shannon Entropy Calculator | Charset Pool, Shannon Bits, Per-Model Crack Time

Compute a password's length, charset pool, brute-force entropy (bits) and Shannon entropy (bits per character), then see estimated crack time under three attacker models in a single view. Built to expose the gap between how complex a password looks and how hard it actually is to guess.

💡 About this tool

Most strength meters give you a green bar and call it a day. That tells you almost nothing about which threat you are defending against. A password that survives an online login form for centuries can fall in hours once an attacker steals the hash and runs it on a GPU rig. This calculator splits those scenarios apart instead of collapsing them into one score.

Two numbers do the heavy lifting. Brute-force entropy is length × log2(charset pool size) — the theoretical ceiling assuming the attacker enumerates every combination in your character set. Shannon entropy is computed from the actual character frequencies in your input, so repeated or skewed characters pull it down. When the two diverge, that gap is your hint that the password looks busier than it really is (think aaaa1111 versus k7Qm9xZr).

The three attacker models differ by orders of magnitude in guess rate: online (~10^4/s) models a rate-limited endpoint, offline KDF (~10^10/s) models a stolen hash protected by a slow KDF like bcrypt, and offline GPU (~10^12/s) models a fast single-round hash such as SHA-256 cracked on GPU clusters. Toggling between them shows why "salt your hashes and use bcrypt" is not just folklore — the same password can shift from minutes to millennia.

🧐 Frequently Asked Questions

Which number actually matters, brute-force or Shannon entropy? For a practical strength threshold, use brute-force entropy (total bits). Under 60 bits is shaky; 128+ bits is classified as very strong here. Treat Shannon as a sanity check that flags low-diversity inputs.

Does adding one symbol really help? Including any ASCII symbol adds 32 to the charset pool, which bumps the per-character log2 term once. Adding length adds that term per extra character, so a longer passphrase almost always beats sprinkling in a !.

Why is my crack time shown in centuries? It is an upper bound assuming pure brute force. It ignores dictionary attacks, credential-stuffing against breached lists, and personal-data guessing. A high-entropy password that already appears in a leak database is cracked instantly regardless of the bits.

How are Unicode characters handled? Any code point above the printable ASCII range adds 1000 to the pool as an approximation. It raises the theoretical entropy, but input-method and compatibility friction usually make length the more reliable lever.

Is my password sent anywhere? No. Charset detection, entropy math, and time estimates all run in JavaScript inside your browser. The value you type is never transmitted to a server.

📚 Fun Facts

The whole idea traces back to Claude Shannon's 1948 paper, where entropy measured the unpredictability of a message in bits — long before anyone applied it to passwords. Modern guidance has since moved on: NIST SP 800-63B now discourages mandatory periodic resets and arbitrary composition rules, recommending length and breach-list screening instead. The reason is behavioral — forcing "one uppercase, one symbol" nudges people toward predictable patterns like Password1!, which look entropic to a meter but are near the top of every cracking wordlist.