Skip to content
Security 6 min read

Password Entropy Explained: Calculate Crack Time with Math

Understand password entropy in bits, calculate brute-force resistance from character pool size and length, and learn why a 60-bit password is the realistic minimum for security in 2026.

ToolsVito Team

Entropy Is Math, Not Opinion

Every password has a numeric entropy value that measures its resistance to guessing. Entropy depends on two things: the size of the character pool you drew from and the length of the password. If a password is generated randomly, entropy is deterministic. If a human created it, actual entropy is lower than the formula predicts — human brains follow patterns that reduce randomness. But the formula still gives you an upper bound and a useful frame of reference.

The Core Formula

E = L × log₂(N)

Where:
  E = entropy in bits
  L = password length in characters
  N = character pool size

Worked example: a 14-character password using mixed case and digits (pool of 62) has entropy of 14 × log₂(62) ≈ 14 × 5.954 ≈ 83.4 bits.

Character Pool Reference

  • Digits only: 10 characters → log₂(10) ≈ 3.32 bits per character
  • Lowercase only: 26 characters → log₂(26) ≈ 4.70 bits per char
  • Mixed case: 52 characters → log₂(52) ≈ 5.70 bits per char
  • Alphanumeric: 62 characters → log₂(62) ≈ 5.95 bits per char
  • Full printable ASCII: 95 characters → log₂(95) ≈ 6.57 bits per char

Guesses-to-Crack: The Other Half

Entropy alone doesn't tell you how long cracking takes — you need the hash rate. An attacker using a single GPU can try about 100 billion SHA-256 hashes per second. An offline attack on a stolen password database might use a cluster doing trillions per second. An online attack (trying passwords against a login form) might manage 10 per second due to rate limiting.

Crack time (seconds) = 2^(entropy - 1) / guesses_per_second

At 100 billion guesses/second (offline, single GPU):

  • 40-bit password: ~5.5 seconds
  • 50-bit password: ~5,600 seconds (~1.5 hours)
  • 60-bit password: ~66 years
  • 70-bit password: ~67,000 years
  • 80-bit password: ~68 million years

This is why 60 bits is the commonly cited minimum: it survives a determined offline attack for a meaningful amount of time, even against modern hardware.

Where Entropy Formulas Break

The formula assumes truly random character selection. Humans don't do that. CorrectHorseBatteryStaple has high theoretical entropy from length, but it's four common English words — an attacker's dictionary covers this. Real entropy for human-chosen passwords is much lower. Password managers solve this by generating truly random strings.

Calculate Your Password Entropy

Use ToolsVito's Entropy Calculator to get the exact bit strength of any password based on its character pool and length, along with estimated crack times at different attack speeds. All calculation happens in your browser.

Try it now — free, runs in your browser

Entropy Calculator

Measure password entropy
All articles

More articles

Encode & Decode Base64 Encoding & Decoding: The Complete Developer Guide 7 min Security JWT Explained: Decoding JSON Web Tokens Without a Library 8 min Security MD5, SHA-1, SHA-256: Hash Functions Compared for Developers 9 min