Password Strength Calculator

Password Strength Calculator

How many bits of Entropy, and how long would it take to guess?

Updated 2013-01-04 @ 14:55 EST (UT-5)

This page allows you to calculate the amount of entropy (in bits) contained in a randomly chosen password with a given alphabet size and number of characters (length). It also gives an estimate of how long it would take a hacker to guess the password given a hash of the password, the length of the password (in characters), the particular hash algorithm being used, and the value of the "salt" if any.

The method of guessing is assumed to be brute force: that is for a 3-character password composed only of lower-case letters, the hacker would guess (not necessarily in this order):
aaa, aab, aac, ..., aax, aay, aaz, aba, abb, ..., aby, abz, ..., azx, azy, azz, baa, bab, ..., zzx, zzy, zzz

A password such as the 3-letter random password above would have 26³ = 17,576 possible values which gives an entropy of log₂(17576) = 14.1 bits, which you can see from the calculator below.

This calculator assumes the hash rate, number of allowed characters in the password, and password length that you enter, and that THE PASSWORD WAS RANDOMLY CHOSEN. You can select the hacker's compute power using the selectors for Hashes/Second. At the time of this writing, the largest machines that an adversary would likely have can perform about 60 Billion (60 * 10⁹) hashes per second. This will evolve upward with time. On average, the adversary would have to test 50% of the possible passwords to find a match. You can set the desired Probability of a "hit" using the "Probabability" selector.

Action	Entropy of a Random Password			Average Time to Guess this Password with the Stated Probability
	Alphabet Size	PW Length	Entropy (Bits)	Hacker: Hashes/second		Probability	Time	Units

You can reset the calculator to its default values by pressing the "Reset" button. Values will be recalculated automatically whenever you change any of the selectors, or you can force a re-calculation by pressing the "Calculate" button.

I WILL SHORTLY POST A PAGE THAT HELPS YOU TO CHOOSE GOOD, TRULY RANDOM PASSWORDS USING ONLY ITEMS YOU HAVE AROUND THE HOUSE, AND WITHOUT USING SOFTWARE OF ANY KIND (UNLESS YOU COUNT A REFERENCE SHEET AND YOUR BRAIN AS SOFTWARE).

Here are some potentially useful links:

www.plaintextoffenders.com: The worst, most irresponsible thing a site can do is to store your passwords in plaintext. If they do so, anyone who succeeds in downloading the password file has everybody's UserID and Password without further effort. This site lists sites that are known to store passwords in PLAINTEXT. Click on "Archive" to see a page showing all of them. The list of "Reformed Offenders" is depressingly small.
datalossdb.org: A database of security breaches run by the "Open Security Foundation". It also has links to press reports.
Troy Hunt: 3 reasons you're forced into creating weak passwords.

Read More

The bits of entropy (E) in a given password where A = alphabet size (number of different characters allowed) and L = length (the total number of characters in the password) is calculated by the standard formula (where "*" indicates multiplication:

E = Log₂(A^L) or, equivalently:

E = Log₂(A) * L

This page is copyrighted "freeware"

www.bee-man.us

That means that although it is copyrighted, it is intended for you to use for your education or entertainment. Use for any other purpose is a violation of the copyright. You may use it yourself, copy and redistribute it, or even put it on your own website. I ask only that you not make any changes, and that you credit me as the source and reproduce this Notice unaltered and in its entirety. If you reuse any of the code, make sure to list me as one of your sources.

My only reward for writing this is the 15 milliseconds of fame I receive from having my name here. Don't deprive me of that.

You can copy this page by simply doing a "Save As" in your browser and putting it somewhere on your hard drive (or your web site). If you stop there the background will be gone. To preserve the background, copy the following file into this same folder, without changing its name, by again using your browser's "Save As". The next time you refresh the page, the background should be restored:

www_bee-man_us_background.gif

I make NO guarantee of any kind.
This page may contain serious errors.
Use this page entirely at your own risk!

I am not a lawyer, accountant, or financial advisor.
Nothing on this page or anywhere on this site should be construed as
legal, financial, or investing advice.