This page estimates the entropy of a supplied password in the form using zxcvbn by Dropbox. Unlike traditional password meters, this is based on entropy and actual brute force cracking numbers.

This site does not log passwords! If you don't believe me, save this web page to your disk, disconnect your network, and run it locally offline. Or just don't use it. If you view the source, you'll see everything is calculated in JavaScript locally.

According to https://tools.ietf.org/html/rfc4086#section-8.1, which is an RFC on best current practices for online security, passwords should contain at least 29-bits of security to thwart an online brute-force search with a login prompt.

If you need a password generator, I built one in JavaScript, that generates nine different passwords. Check it out at https://ae7.st/g/.

However, when databases are compromised and leaked to the Internet, offline password cracking can work much faster than online brute force searches. The following are three actually implemented brute force searching speeds:

The Distributed.net project working on RC5-72 (a distributed network):

700 billion keys per second.

The Bitcoin network calculating SHA-256 hashes (the upper limits of several well-funded organizations working in concert):

2 quintillion SHA-256 hashes per second.

For offline password cracking security, passwords should have at a minimum of 80-bits of entropy, and for good safety margins, at least 88-bits of entropy.

The entropy of a supplied password is fed to each of these scenarios to see how long the password would last in a brute force search. Learn more about entropy at https://pthree.org/?p=3492/.

This password has approximately: -bits of entropy.

There is very likely not enough energy in the known universe to completely brute force 256-bits, let alone this password. To prove this to you, I'll defer to the laws of thermodynamics.

The amount of energy it takes to do any work, is kT, where "k" is Boltzmann's constant of 1.38E-16 erg/Kelvin, and "T" is the absolute temperature of the system.

An ideal computer would run at the temperature of outer space, which is 2.7 Kelvin. To run a colder computer would require extra energy to power a cooler. Thus, flipping a single bit from "0" to "1" would require 3.76E-16 ergs of energy.

The Sun in our Solar System outputs about 1.21E41 ergs of energy every year. Thus, you could flip every bit in a 187-bit password per year, if you could use that energy.

A supernova is calculated to release something around 10^{44} Joules or 10^{51} ergs of energy. Thus, you could flip every bit in a 220-bit password in a single orgy of computation.

A hypernova is calculated to release something around 10^{46} Joules or 10^{53} ergs of energy. Thus, you could flip every bit in a 227-bit password in a single orgy of computation. This computation orgy is turned up to 11.

What does this mean? Unless your computer using energy from somewhere outside of our known universe, it is strongly implied that you cannot flip every bit in 256-bits to completeion.

Thus, to 100% guarantee that this password is found, it would take:

Cluster

Processing Time

8 Nvidia GTX 1080 GPUs

The distributed.net cluster

The Bitcoin network

This is dependent on the password hashing function, however. If the password was stored with a password-specific hashing function, such as bcrypt, these estimates could be severely increased with an appropriate work factor.