Password Entropy Estimator

Enter a password:

This page estimates the entropy of a supplied password in the form using zxcvbn by Dropbox. Unlike traditional password meters, this is based on entropy and actual brute force cracking numbers.

This site does not log passwords! If you don't believe me, save this web page to your disk, disconnect your network, and run it locally offline. Or just don't use it. If you view the source, you'll see everything is calculated in JavaScript locally.

According to https://tools.ietf.org/html/rfc4086#section-8.1, which is an RFC on best current practices for online security, passwords should contain at least 29-bits of security to thwart an online brute-force search with a login prompt.

If you need a password generator, I built one in JavaScript, that generates nine different passwords. Check it out at https://ae7.st/g/.

However, when databases are compromised and leaked to the Internet, offline password cracking can work much faster than online brute force searches. The following are three actually implemented brute force searching speeds:

For offline password cracking security, passwords should have at a minimum of 80-bits of entropy, and for good safety margins, at least 88-bits of entropy.

The entropy of a supplied password is fed to each of these scenarios to see how long the password would last in a brute force search. Learn more about entropy at https://pthree.org/?p=3492/.