STATISTICSProbability TheoryStatistics Calculator
📊

Password Combination Calculator

Password combination calculator. Compute total combinations, entropy bits, brute-force time. NIST, O

Run CalculatorExplore data analysis and statistical calculations

Why This Statistical Analysis Matters

Why: Statistical calculator for analysis.

How: Enter inputs and compute results.

🔐
PASSWORD SECURITYStatistics

Total Password Combinations & Brute-Force Time

Combinations = charset^length. Entropy = length × log₂(charset). NIST recommends length over complexity. Use a password manager.

Birthday Paradox →Random Generator →

Real-World Scenarios — Click to Load

Inputs

password_strength.sh
CALCULATED
$ length=8 charset=26
Total combinations
208.83 billion
Entropy (bits)
37.60
Strength
Strong
Brute-force time
2.09 seconds
Share:
Password Strength Result
Strong
208.83 billion
37.6 bits2.09 seconds
numbervibe.com/calculators/statistics/password-combination-calculator

Time to Crack by Length

Strength (Entropy) by Length

Charset Impact (8 chars)

Calculation Breakdown

COMPUTATION
Character set size
26
Lowercase(26) + Uppercase(26) + Digits(10) + Special(33)
Total combinations
208.83 billion
charset^length = 26^8
ENTROPY
Entropy (bits)
37.60
length × log₂(charset) = 8 × log₂(26)
Strength rating
Strong
36–60 bits
SECURITY
Brute-force time
2.09 seconds
combinations / attempts_per_sec = 208.83 billion / 1e+11

For educational and informational purposes only. Verify with a qualified professional.

Key Takeaways

  • Total combinations = charset^length — each character multiplies possibilities
  • Entropy (bits) = length × log₂(charset) — measures unpredictability
  • Length beats complexity — NIST recommends longer passphrases over complex short passwords
  • • Online attacks (~1K/s) are rate-limited; offline attacks (MD5 ~100B/s) can try billions per second
  • • Use a password manager to generate and store unique, strong passwords for every account

Did You Know?

🔐NIST SP 800-63B recommends minimum 8 characters, with no complexity requirements — length matters moreSource: NIST
A GPU cluster can try 100+ billion MD5 hashes per second; bcrypt limits to ~50K/s by designSource: OWASP
📊Hive Systems publishes a color-coded table showing how long passwords take to crack at different speedsSource: Hive Systems
🔑A 12-character password with 95-char set has 95^12 ≈ 540 quadrillion combinationsSource: Wikipedia
🛡️Passphrases like "correct-horse-battery-staple" are easier to remember and often stronger than short complex passwordsSource: XKCD
⚠️Have I Been Pwned has 600M+ compromised passwords — check if yours has been leakedSource: HIBP

Expert Tips

Length over complexity

"Password1!" is weaker than "correct horse battery staple" — NIST agrees

Use a password manager

Generate unique 16+ char passwords per site; you only remember one master password

Enable 2FA

Two-factor authentication adds a second layer even if password is compromised

Check Have I Been Pwned

If your password appears in a breach, change it immediately

Character Sets Comparison

CharsetSize8 chars12 chars
Lowercase only26208B95 quadrillion
+ Uppercase5253T390 quadrillion
+ Digits62218T3.2 sextillion
+ Special (95)956.6 quadrillion540 quadrillion

Frequently Asked Questions

Why does NIST recommend length over complexity?

Longer passwords create exponentially more combinations. A 16-char lowercase password (26^16) has more combinations than an 8-char full-set password (95^8). Length scales better and is easier to remember as passphrases.

What is a good entropy for passwords?

NIST recommends at least 80 bits for high-security. 128 bits is cryptographically strong. Most sites: 40+ bits is reasonable. Weak: <28 bits (easily cracked).

How fast can attackers try passwords?

Online (rate-limited): ~1,000/sec. Offline MD5: ~100 billion/sec with GPUs. Offline bcrypt: ~50,000/sec (intentionally slow). Always assume worst-case if database is leaked.

Should I use a password manager?

Yes. Password managers generate strong, unique passwords per site. You remember one master password. OWASP and CISA recommend them.

What about passphrases?

Passphrases like "correct-horse-battery-staple" are memorable and can be strong. 4 random words from a 7,776-word list ≈ 51 bits. Add a number/symbol for more.

Why is my 8-char password weak?

8 chars with 95 options = 95^8 ≈ 6.6 quadrillion. At 100B/s that is ~66,000 seconds ≈ 18 hours. Attackers use dictionaries and rules — real crack time is often faster.

By the Numbers

26
Lowercase chars
95
Printable ASCII
100B
MD5 hashes/sec
80
NIST min bits

Disclaimer: This calculator provides theoretical brute-force estimates. Real-world attacks use dictionaries, rules, and leaked databases — actual crack times may be shorter. Use a password manager, enable 2FA, and follow NIST/OWASP guidelines. Check Have I Been Pwned if you suspect a breach.

👈 START HERE
⬅️Jump in and explore the concept!
AI

Related Calculators

Accuracy Calculator

Compute classification metrics from a confusion matrix: Accuracy, Precision, Recall, F1 Score, Specificity, MCC, and more. Essential for ML model evaluation.

Statistics

Bayes' Theorem Calculator

Calculate posterior probabilities using Bayes' theorem. Input prior, likelihood, and evidence to update beliefs with step-by-step Bayesian reasoning.

Statistics

Bertrand's Box Paradox

Interactive Bertrand's Box Paradox simulator. Explore why the probability of the other coin being gold is 2/3, not 1/2, with Monte Carlo simulation and Bayesian proof.

Statistics

Bertrand's Paradox

Explore Bertrand's Paradox — three valid methods for choosing a random chord give three different probabilities (1/3, 1/2, 1/4). Interactive simulation and visualization.

Statistics

Birthday Paradox Calculator

Calculate the probability that at least two people in a group share the same birthday. Interactive chart showing probability vs group size.

Statistics

Boy or Girl Paradox

Interactive Boy or Girl Paradox (Two-Child Problem). Explore why 'the older child is a boy' gives P=1/2 while 'at least one is a boy' gives P=1/3. With Monte Carlo simulation.

Statistics