Building a Password Strength Analyzer with Entropy and Crack Time for Beginners

Live Demo:

Try your password ideas instantly, see entropy and crack time in action: Password Strength Analyzer Demo

TL;DR

Walk through a real-time password strength analyzer using entropy and crack time estimates. See how your password choices stack up, and learn the math behind brute-force risks, not just another “use a strong password” nudge.

Why I Built This

Most of us already know passwords matter. We accept “must contain 12 characters,” we use password managers, and we enable MFA where we can.

What we rarely see is what happens behind the scenes when a password is attacked:

• How fast can an attacker realistically guess?
• Why do some passwords that look strong still fall quickly?
• What does “brute forcing” actually mean in numbers?

To make this concrete, I built a password strength analyzer that:

• Runs entirely in the browser
• Estimates strength using entropy
• Shows a rough crack time for a given attack speed
• Provides simple, constructive feedback

What the App Does

At a high level, the app:

• Watches keystrokes in a password field
• Detects which character sets are used (lowercase, uppercase, digits, symbols)
• Computes an entropy score (in bits)
• Estimates crack time under a configurable guesses-per-second rate
• Maps the result to a strength label and suggestions

All logic runs client-side. No password ever leaves the browser.

Project Structure and Component Breakdown

Tech stack:

• HTML5
• CSS3
• Vanilla JavaScript

File structure:

password-strength-analyzer/
├── index.html # Main UI
├── script.js # Password analysis logic
├── style.css # Styling and responsive layout
├── README.md # Full project documentation
├── demo/
│ └── password-analyzer.sh # Demo launcher script
├── images/
│ └── bg.jpg # Glassmorphism background

What each component does:

• script.js (Core Logic, User Interaction):
  • Contains all the math for entropy calculation, character set detection, and crack time estimation. Converts passwords into strength scores, readable labels, and practical suggestions.
  • Listens to password input events and calls the analyzer in real time. It takes the results (entropy, strength labels, feedback) and updates the UI to show users actionable information as they type.
• index.html / styles.css(User Interface):
  • Provide the visual structure and readability.

File/Folder	Purpose
index.html	Main user interface for the password analyzer—contains all layout, UI elements, and loads other resources.
script.js	Performs password analysis: entropy calculation, character class detection, crack time estimation, and updates the UI in real time.
style.css	Styles the app; manages layout, colors, and visual responsiveness for desktops and mobile devices.
demo/password-analyzer.sh	Launches a local demo server with Python and opens the analyzer in your browser for quick starts.
images/bg.jpg	Provides a modern glassmorphism background effect for the web interface.
README.md	Contains all documentation including project goals, setup instructions, features, and technical details.

How to run locally:

git clone https://github.com/MalarGIT2023/password-strength-analyzer.git
cd password-strength-analyzer
python -m http.server 8000
# Open http://localhost:8000 in your browser

How the Analysis Works

1. Character Set Detection and Effective Alphabet Size

It first checks which sets of characters are present:

• Lowercase [a-z]: 26 characters
• Uppercase [A-Z]: 26 more
• Digits [0-9]: 10 more
• Symbols: Configurable, typically adds 32

The total number of possible characters (alphabet size, R) is the sum of included sets.

2. Search Space and Entropy Calculation

For a password of length L and alphabet size R:

Number of Combinations:
Combinations = R ^ L

Example:
If L = 8 and R = 62, total combinations = 62 ^ 8

Entropy (in bits):
Entropy = L * log2(R)

Where:

• L = password length
• R = alphabet size
• log2(R) = bits of randomness per character

Example Calculation:
Entropy = 8 * log2(62) ≈ 8 * 5.95 ≈ 47.6 bits

A higher entropy value means a stronger password.

Strength mapping:

• < 28 bits: Very weak
• 28–35 bits: Weak
• 36–59 bits: Reasonable
• 60–127 bits: Strong
• 128+ bits: Very strong

Example: Three Passwords

Password	Length	Sets Used	Entropy	Crack Time (1B/sec)
password123	11	lowercase, digits	~36 bits	Minutes to hours
CorrectHorseBatteryStaple!	25	upper, lower, symbols	100+ bits	Billions of years
f7&Qz9!mP3#x	12	upper, lower, digits, symbols	80+ bits	Many thousands of years

Crack Time Calculation

Attackers can guess at rates from hundreds to billions/sec:

const guessesPerSecond = 1e9; // 1 billion guesses/sec
const combinations = Math.pow(charsetSize, length);
const secondsToCrack = combinations / (2 * guessesPerSecond);

The UI converts seconds to minutes, years, or even higher for clear feedback, always noting these are rough, simplifying assumptions meant for education.

Core Analysis – JavaScript Example

function analyzePassword(pwd) {
  const length = pwd.length;
  let charsetSize = 0;
  const hasLower = /[a-z]/.test(pwd);
  const hasUpper = /[A-Z]/.test(pwd);
  const hasDigit = /[0-9]/.test(pwd);
  const hasSymbol = /[^A-Za-z0-9]/.test(pwd);

  if (hasLower) charsetSize += 26;
  if (hasUpper) charsetSize += 26;
  if (hasDigit) charsetSize += 10;
  if (hasSymbol) charsetSize += 32;

  const entropy = length && charsetSize ? length * Math.log2(charsetSize) : 0;

  const guessesPerSecond = 1e9;
  const combinations = Math.pow(charsetSize, length);
  const secondsToCrack = combinations / 2 / guessesPerSecond;

  const strengthLabel = getStrengthLabel(entropy);
  const humanTime = formatTime(secondsToCrack);
  const suggestions = getSuggestions(pwd, entropy, hasLower, hasUpper, hasDigit, hasSymbol);

  return { length, charsetSize, entropy, secondsToCrack, humanTime, strengthLabel, suggestions };
}

Turning Analysis Into Feedback

The UI listens to password input, calls the analysis above, and updates:

• Strength labels (with intuitive color and description)
• Bit-level entropy and rough crack time
• Suggestions (make it longer, use more sets, watch common patterns, use a password manager)

The feedback is meant to be calm, practical, and supportive, not shaming.

How This Maps to Attacks

The model represents brute-force and dictionary-style attacks, where every possible combination or a large wordlist is tried systematically.

Real attackers may also use:

• Credential stuffing and spraying (using stolen passwords across sites)
• Phishing and social engineering (bypassing entropy altogether)

While the analyzer doesn’t address phishing or credential reuse, it visualizes brute-force math and is great for education and awareness.

Expand the Project

• Integrate a pattern-aware library (like zxcvbn) for advanced scoring
• Add attack profile toggles for different threat models (online/offline speeds)
• Embed in real signup or password-change pages
• Package as a reusable JS library or web component

Get Involved, Learn More, and Contribute

The password strength analyzer is fully open-source, privacy-first, and built for experimentation.

You can try the online demo, check out the GitHub repository, or fork it for your own projects.

Learn more about password security:

• OWASP Authentication Cheat Sheet
• OWASP Credential Stuffing Prevention Cheat Sheet
• NIST Password Guidelines
• Auth0: NIST Guidelines Summary
• Keeper Blog: Types of Password Attacks
• SailPoint: Password Attack Types

Have questions, extension ideas, or feedback? Drop a comment below. Whether you’re a beginner, teacher, or developer, you can help empower everyone to build safer, smarter applications, one password at a time!