Password Entropy Visualizer

Entropy quantifies how many bits of uncertainty an attacker must overcome to guess your password. Formula: entropy = length × log2(keyspace). A 8-character password from 26 lowercase letters has 8 × log2(26) ≈ 37.6 bits. The same length from 95 characters (mixed case, digits, symbols) has 8 × log2(95) ≈ 52.5 bits. Doubling the keyspace adds about 1 bit per character; adding one character adds log2(keyspace) bits. Length matters more than complexity for increasing entropy.

The keyspace is the product of character categories used: lowercase (26), uppercase (26), digits (10), symbols (~32, depending on definition). Using only lowercase gives 26; adding uppercase gives 52; adding digits gives 62; adding symbols gives ~95. Each new category multiplies possibilities. A 10-char password from 95 chars has 95^10 ≈ 6×10^19 possibilities — 2^66 bits of entropy.

Brute-force crack time = possibilities / attempts_per_second. At 1,000 attempts/sec (typical online), 2^40 possibilities takes ~12 days. At 1 billion/sec (offline, single GPU), 2^60 takes ~36 years. At 100 billion/sec (large GPU cluster), 2^70 takes ~37 million years. NIST recommends at least 10^6 (≈20 bits) for memorized secrets to resist online attacks, and much higher for offline resistance.

Dictionary words, keyboard walks (qwerty, asdf), sequential numbers (12345, 2024), repeated characters (aaaa, 1111), and personal info (names, birthdays) drastically reduce effective entropy. Attackers use hybrid rules: word + number + symbol. The best defense is length (passphrases) or true randomness (password manager).