Permutations with Repetition Calculator
Calculate ordered arrangements with repetition (n^r). Supports variable pool sizes per position, position breakdown, entropy, and reference tables.
Password Combination Calculator
Calculate password combinations, entropy bits, and brute-force crack time. Compare password length and character set impacts on security strength.
Password Combination Calculator
Character Sets
Brute-force speed (default: 1 billion/sec)
Total Combinations⧉
218,340,105,584,896
62^8
Entropy⧉
47.6 bits
8 × log₂(62)
Strength⧉
Moderate
Moderate
Avg Crack Time⧉
1.3 days
At 1,000,000,000 attempts/sec
Character Pool⧉
62
Lowercase (a-z): 26, Uppercase (A-Z): 26, Digits (0-9): 10
Log₁₀(combos)⧉
14.34
Order of magnitude
Entropy by Password Length
| Length | Combinations | Entropy (bits) | Avg Crack Time |
|---|---|---|---|
| 4 | 14,776,336 | 23.8 | 7.4 ms |
| 6 | 56,800,235,584 | 35.7 | 28.4 seconds |
| 8 | 218,340,105,584,896 | 47.6 | 1.3 days |
| 10 | 10^17.9 | 59.5 | > age of universe |
| 12 | 10^21.5 | 71.5 | > age of universe |
| 16 | 10^28.7 | 95.3 | > age of universe |
| 20 | 10^35.8 | 119.1 | > age of universe |
| 24 | 10^43.0 | 142.9 | > age of universe |
| 32 | 10^57.4 | 190.5 | > age of universe |
Effect of Character Pool Size
| Character Set | Pool | Entropy | Avg Crack Time |
|---|---|---|---|
| Digits only | 10 | 26.6 bits | 50.0 ms |
| Lower alpha | 26 | 37.6 bits | 1.7 minutes |
| Alpha (mixed) | 52 | 45.6 bits | 7.4 hours |
| Alphanumeric | 62 | 47.6 bits | 1.3 days |
| All printable | 94 | 52.4 bits | > age of universe |
Visual: Entropy Strength
0 bits (trivial)48 bits128+ bits (excellent)
Planning notes, formulas, and examples
About the Password Combination Calculator
Password security depends mainly on length and character pool size. A password of length L drawn from a pool of P characters has P^L possible combinations, so each extra character or larger character set can expand the search space quickly.
This calculator reports total combinations, entropy in bits, and an estimated brute-force crack time for a chosen mix of lowercase letters, uppercase letters, digits, symbols, or custom characters. It is useful for comparing common policy choices and seeing which ones actually increase resistance to guessing attacks.
The output makes it easy to tell whether a password is long enough to matter or only looks complex on paper.
When This Page Helps
Password rules often focus on symbol requirements even though length usually contributes more entropy per added character. This page makes those trade-offs visible so you can compare policy options with actual numbers instead of intuition.
How to Use the Inputs
- Enter the password length.
- Check the character sets to include (lowercase, uppercase, digits, symbols).
- Optionally add custom characters.
- Set the brute-force speed for crack time estimation.
- Or click a preset for common scenarios (PIN, standard password, strong password).
- Review the total combinations, entropy, and estimated crack time.
- Compare how length and character pool affect security.
Formula used
Total Combinations = P^L
where P = character pool size, L = password length
Entropy = L × log₂(P) bits
Average brute-force attempts = P^L / 2
Crack time = P^L / (2 × attempts_per_second)
Common pool sizes:
Digits: 10, Lower: 26, Mixed alpha: 52, Alphanumeric: 62, All printable ASCII: 94Example Calculation
Result: 218,340,105,584,896 combinations, 47.6 bits entropy
An 8-character alphanumeric password (62^8) has about 218 trillion combinations and 47.6 bits of entropy. At 1 billion guesses/second, average crack time is about 30 hours. Adding symbols (94^8 = 6 quadrillion) would increase entropy to 52.4 bits and crack time to 36 days.
Tips & Best Practices
- Length matters more than complexity. A 12-char lowercase password (26^12) has more entropy than an 8-char alphanumeric password (62^8).
- Every additional character multiplies combinations by the pool size. Going from 8 to 12 characters makes the password ~14 million times harder to crack.
- The entropy scale: <28 bits = trivially crackable, 40-60 bits = moderate, 80+ bits = strong against offline attacks, 128+ bits = virtually uncrackable.
- Modern GPUs can try 10+ billion hashes per second for weak hash functions like MD5. Use bcrypt/scrypt to slow this down.
- Password managers eliminate the trade-off between security and memorability — use long random passwords.
- These calculations assume truly random passwords. Real human-chosen passwords have much less entropy due to patterns.
The Mathematics of Password Security
Password security is fundamentally a combinatorics problem. P^L total possibilities means an attacker must try, on average, P^L/2 passwords. The logarithmic measure (entropy = L × log₂P) lets us compare passwords across different pool sizes and lengths on a uniform scale.
Why Length Beats Complexity
Each additional character adds log₂P bits of entropy. For alphanumeric (P=62), each character adds ~5.95 bits. Going from 8 to 12 characters adds 23.8 bits — that's 2^23.8 ≈ 14.8 million times harder to crack. Mandatory symbols increase pool from 62 to 94, adding only log₂(94/62) ≈ 0.6 bits per character — negligible compared to adding length.
Real-World Attack Scenarios
Online attacks (rate-limited to ~100/sec): Even a 6-char alphanumeric password survives ~18 years on average. Offline attacks (10 billion/sec): need 80+ bits for adequate security. State-level attacks (custom hardware, 10¹⁵/sec): need 100+ bits. The attack speed determines the security threshold.
Sources & Methodology
Last updated:
Frequently Asked Questions
10^4 = 10,000 combinations. At even 1,000 attempts per second, all PINs can be tried in 10 seconds. PINs rely on lockout mechanisms (e.g., 3 attempts then lock) rather than combinatorial security.
For random passwords, yes — each additional character multiplies security. But human-chosen long passwords often use predictable patterns ("password123456") that don't provide the full theoretical entropy.
Entropy measures the number of bits needed to represent all possible passwords. 40 bits = 2^40 ≈ 1 trillion combinations. Higher entropy means more guesses needed. It's computed as length × log₂(pool size).
Modern GPU-based cracking (using hashcat) achieves billions of hashes per second for common hash functions like SHA-256 or MD5. For bcrypt with cost factor 12, it drops to ~thousands per second.
Adding symbols increases the pool from 62 to 94 chars (51% increase). But adding 2 characters of length (keeping 62-char pool) multiplies combinations by 62² = 3,844. Length usually wins.
Randomness and length. A 16+ character random password from a 62+ character pool provides 95+ bits of entropy. Combined with a slow hash function (bcrypt, Argon2), this is effectively uncrackable even with nation-state resources.
More in this topic
Possible Combinations Calculator
Calculate all four types of counting: permutations/combinations with/without repetition. Decision guide, side-by-side comparison, visual size chart, and common examples.
Combinations without Repetition Calculator
Calculate C(n, r) combinations without repetition. Full enumeration for small cases, Pascal's triangle row, probability of a specific combo, and reference table.