Calculate password combinations, entropy bits, and brute-force crack time. Compare password length and character set impacts on security strength.
Password security depends mainly on length and character pool size. A password of length L drawn from a pool of P characters has P^L possible combinations, so each extra character or larger character set can expand the search space quickly.
This calculator reports total combinations, entropy in bits, and an estimated brute-force crack time for a chosen mix of lowercase letters, uppercase letters, digits, symbols, or custom characters. It is useful for comparing common policy choices and seeing which ones actually increase resistance to guessing attacks.
The output makes it easy to tell whether a password is long enough to matter or only looks complex on paper.
Password rules often focus on symbol requirements even though length usually contributes more entropy per added character. This page makes those trade-offs visible so you can compare policy options with actual numbers instead of intuition.
Total Combinations = P^L where P = character pool size, L = password length Entropy = L × log₂(P) bits Average brute-force attempts = P^L / 2 Crack time = P^L / (2 × attempts_per_second) Common pool sizes: Digits: 10, Lower: 26, Mixed alpha: 52, Alphanumeric: 62, All printable ASCII: 94
Result: 218,340,105,584,896 combinations, 47.6 bits entropy
An 8-character alphanumeric password (62^8) has about 218 trillion combinations and 47.6 bits of entropy. At 1 billion guesses/second, average crack time is about 30 hours. Adding symbols (94^8 = 6 quadrillion) would increase entropy to 52.4 bits and crack time to 36 days.
Password security is fundamentally a combinatorics problem. P^L total possibilities means an attacker must try, on average, P^L/2 passwords. The logarithmic measure (entropy = L × log₂P) lets us compare passwords across different pool sizes and lengths on a uniform scale.
Each additional character adds log₂P bits of entropy. For alphanumeric (P=62), each character adds ~5.95 bits. Going from 8 to 12 characters adds 23.8 bits — that's 2^23.8 ≈ 14.8 million times harder to crack. Mandatory symbols increase pool from 62 to 94, adding only log₂(94/62) ≈ 0.6 bits per character — negligible compared to adding length.
Online attacks (rate-limited to ~100/sec): Even a 6-char alphanumeric password survives ~18 years on average. Offline attacks (10 billion/sec): need 80+ bits for adequate security. State-level attacks (custom hardware, 10¹⁵/sec): need 100+ bits. The attack speed determines the security threshold.
Last updated:
10^4 = 10,000 combinations. At even 1,000 attempts per second, all PINs can be tried in 10 seconds. PINs rely on lockout mechanisms (e.g., 3 attempts then lock) rather than combinatorial security.
For random passwords, yes — each additional character multiplies security. But human-chosen long passwords often use predictable patterns ("password123456") that don't provide the full theoretical entropy.
Entropy measures the number of bits needed to represent all possible passwords. 40 bits = 2^40 ≈ 1 trillion combinations. Higher entropy means more guesses needed. It's computed as length × log₂(pool size).
Modern GPU-based cracking (using hashcat) achieves billions of hashes per second for common hash functions like SHA-256 or MD5. For bcrypt with cost factor 12, it drops to ~thousands per second.
Adding symbols increases the pool from 62 to 94 chars (51% increase). But adding 2 characters of length (keeping 62-char pool) multiplies combinations by 62² = 3,844. Length usually wins.
Randomness and length. A 16+ character random password from a 62+ character pool provides 95+ bits of entropy. Combined with a slow hash function (bcrypt, Argon2), this is effectively uncrackable even with nation-state resources.