Password Strength Checker

A password is only as strong as the number of possible combinations an attacker must try before guessing it correctly — and that number is determined by two variables: the length of the password and the size of the character set it draws from. An 8-character password using only lowercase letters has 26⁸ ≈ 200 billion possible combinations — which sounds impressive until you learn that modern GPU-accelerated brute-force tools can test over 100 billion combinations per second, cracking such a password in under 2 seconds. Add uppercase letters, numbers and symbols and extend to 12 characters, and the combination count explodes to 95¹² ≈ 540 quintillion — requiring hundreds of thousands of years at the same attack rate. Our password strength checker calculates this precisely: it estimates the character set, calculates entropy in bits, and translates the result into a realistic crack-time estimate using modern attack benchmarks — giving you a clear, honest picture of exactly how protected you actually are.

Understanding password strength goes hand-in-hand with generating strong passwords. Our Secure Password Generator creates cryptographically random passwords of any length and complexity — with precise control over which character sets to include. After generating a password there, paste it here to see its entropy score, estimated crack time and a full security checklist. The two tools together form a complete password security workflow: generate, verify, and deploy with confidence.

For developers working with authentication systems, it is worth noting that passwords are rarely stored in plain text — they are hashed, and often the hash itself is stored as a Base64-encoded string. Our Base64 Encoder/Decoder can help you inspect or verify these encoded credential strings — an essential skill for anyone building or auditing authentication systems and security infrastructure.

O que é a entropia de uma senha?

A entropia mede-se em bits: entropia = comprimento × log₂(tamanho do conjunto de caracteres). Os especialistas recomendam no mínimo 80 bits de entropia para contas sensíveis.

Ataques de força bruta vs ataques de dicionário

Ferramentas como Hashcat testam mais de 100 mil milhões de tentativas/segundo. O NIST recomenda priorizar o comprimento em detrimento da complexidade.