This tool measures how random your data actually is. Paste a password, key, token, or any bytes, and it quantifies unpredictability with two complementary metrics plus a concrete cracking estimate.
Two entropy metrics — and why Min-Entropy matters for rating:
- Shannon entropy (H): the classic
−Σ p·log₂ p average information per symbol. It reflects average uncertainty and is useful for compression and communication theory. But it can be misleading for security: a value like aaaaaaaaaaX (one rare symbol among many common ones) scores a moderate Shannon entropy even though an attacker guessing the most common symbol hits often.
- Min-Entropy (H∞ =
−log₂(max p)): the worst-case guess work — based solely on the single most probable symbol. It upper-bounds an attacker's best single-guess success rate and is the conservative metric for security, so it is what the Strong/Medium/Weak rating uses.
Cracking estimate. Average time = 2^(min-entropy) / guessRate / 2 (half the keyspace on average). You pick the attacker's hash rate — from a slow CPU (10⁶/s) to a GPU farm (10¹²/s) or a custom rate — to frame the estimate realistically.
Rating thresholds (total Min-Entropy):
- Strong ≥ 128 bits → average crack time in the millions+ of years
- Medium 64–127 bits
- Weak < 64 bits → shown in red
Analysis Mode:
- Auto (default): character-level when the input is <128 bytes and all printable, else byte-level.
- Byte-level: treats each byte as a symbol — right for binary keys/hashes.
- Character-level: treats each Unicode character as a symbol — right for passwords/passphrases.
This tool does not maintain a weak-password dictionary — rating is purely algorithmic, based on the actual symbol distribution of whatever you paste. Use it to sanity-check generated keys, evaluate passphrase strength, or compare two tokens' randomness.