Table of Contents
What Are Password Combinations?
Password combinations represent the total number of unique passwords possible given a specific character set and length. This is calculated as the character pool size raised to the power of the password length. More combinations mean more resistance to brute-force attacks.
For example, a 4-digit numeric PIN has only 10,000 (10^4) possible combinations, while an 8-character password using all character types has over 6 quadrillion combinations. Understanding this math is crucial for creating secure passwords and evaluating security policies.
Combination Formula
Password Strength Table
| Character Set | Pool Size | 8-char Combos | Entropy |
|---|---|---|---|
| Digits only | 10 | 100,000,000 | 26.6 bits |
| Lowercase | 26 | 208.8 billion | 37.6 bits |
| Lower + Upper | 52 | 53.5 trillion | 45.6 bits |
| Alphanumeric | 62 | 218.3 trillion | 47.6 bits |
| All printable | 94 | 6.1 quadrillion | 52.4 bits |
Understanding Entropy
Password entropy measures the randomness or unpredictability of a password in bits. Higher entropy means stronger passwords. Entropy below 28 bits is considered very weak, 28-35 bits is weak, 36-59 bits is reasonable, 60-127 bits is strong, and 128+ bits is very strong.
- Each additional character adds log2(pool size) bits of entropy.
- Doubling the pool size adds 1 bit of entropy per character position.
- Length has a greater effect on entropy than character variety.
Frequently Asked Questions
How long to brute-force my password?
At 10 billion guesses per second (modern GPU cluster), an 8-character all-printable password takes about 7 days. A 12-character password with the same character set would take over 200 years.
Is a longer password or more character types better?
Length is generally more effective. A 16-character lowercase password has more entropy (75.2 bits) than an 8-character all-printable password (52.4 bits). Ideally, use both long passwords and varied character types.
Does this account for dictionary attacks?
No. This calculator assumes random passwords. If your password uses common words or patterns, the effective entropy is much lower. Use truly random passwords or passphrases for maximum security.