Password Combination Calculator - Pool, Length, and Entropy

A password combination calculator is a combinatorics tool that counts the number of distinct passwords a person can create from a given character pool and password length, then turns that count into a strength estimate in bits and an expected brute-force time at a chosen guess rate.

• • Pick a sensible length: Compare 8, 10, 12, and 16 character passwords to see how the count explodes as the exponent grows.
• • Pick a sensible pool: Decide whether adding digits and symbols is worth the memorability cost for the same length.
• • Argue a policy: Show a team why the company minimum-length rule maps to a specific keyspace size.
• • Estimate attack time: Pair a keyspace count with an offline GPU guess rate to translate 'hard to guess' into hours, days, or years.

Every password is a string drawn from a fixed alphabet, so the number of possible passwords is a textbook counting problem. The password combination calculator uses that fact directly: it adds up the size of the character pool, raises the pool to the power of the password length, and reports the resulting count together with the entropy in bits. The result is the size of the keyspace an attacker has to search when brute-forcing the password.

The tool also reports a human-readable brute-force time using the guess rate you supply. A modern offline GPU cluster can try on the order of 10 billion passwords per second, so a pool of 94 printable characters times a 12 character password is not just a large number; it is a number that even that cluster cannot finish in a human lifetime.

For the general counting toolkit behind N^L, the permutation and combination calculator covers the nPr and nCr formulas that this tool specializes to a fixed character pool.

The calculator combines three well-known formulas. The first is the size of the keyspace with repetition allowed. The second is the entropy in bits of a uniformly random password. The third is the average number of brute-force guesses needed to find such a password. They are wired together by a single user-facing choice: the character pool.

• N: Total size of the character pool. Sum of the lowercase, uppercase, digit, symbol, and custom contributions.
• L: Password length in characters. The exponent in N^L.
• H: Entropy in bits. H = L * log2(N) when the password is chosen uniformly at random from the pool.

When repetition is allowed (the default for a real password), each of the L positions is filled independently from the same pool of N characters, which gives N^L distinct strings. According to NIST SP 800-63B, this is the size of the keyspace used for memorized-secret entropy calculations.

When the toggle for repetition is set to 0, the calculator switches to the falling factorial N * (N-1) * (N-2) * ... * (N-L+1) = N! / (N-L)!. According to Wikipedia, this is the standard count for sequences drawn from a pool without replacement, and it is undefined for L > N, so the result panel returns zero and a 'pool too small' message in that case.

According to NIST SP 800-63B, the size of the password space for a length-L password drawn from a pool of N allowed characters, with repetition, is N^L, and the entropy of a uniformly random password from that space is L * log2(N) bits

According to Wikipedia Permutation, the number of length-L sequences drawn from a pool of N characters without repetition is the falling factorial N * (N-1) * ... * (N-L+1) = N! / (N-L)!, and the formula is undefined for L > N

The N^L step is just a pure power, so the exponent calculator is the natural way to verify any single value out of context.

Four ideas come up every time you reason about a password keyspace, and they are the same four ideas the calculator relies on under the hood.

The no-repetition count N! / (N-L)! is a ratio of two factorials, so the factorial calculator is what you reach for when you want to see each factor separately.

Five short steps are enough to turn a character policy into a count, an entropy figure, and a brute-force time estimate.

1. 1 Pick the character classes: Toggle lowercase, uppercase, digits, and symbols on or off to match the policy you are testing. The pool size N updates below the form.
2. 2 Add custom characters if needed: Use the custom-characters field for letters with diacritics, non-ASCII digits, or any extra glyph the policy allows. Each one adds 1 to N.
3. 3 Set the password length: Type the minimum length your policy enforces, then try one or two more characters to see how the count jumps.
4. 4 Choose repetition and the guess rate: Leave repetition on for a normal password policy. Set the attacker guess rate to the value that matches your threat model: 1e10 for a modern GPU cluster, 1e3 for a rate-limited web form.
5. 5 Read the result panel: Use the combination count, entropy in bits, and brute-force time to decide whether the policy is strong enough for the data it protects.

For a typical account policy of 10 characters with lowercase, uppercase, and digits (N = 62, L = 10), the calculator returns 62^10 = 8.39 * 10^17 combinations, 59.54 bits of entropy, and an average brute-force time of about 4.2 million years at 10 billion guesses per second.

The calculator turns an abstract security rule into a number you can act on, which makes policy decisions easier and faster.

• • Make length rules visible: Show a team that moving the minimum from 8 to 12 characters multiplies the keyspace by 26^4 in the all-lowercase case and by N^4 for the chosen pool.
• • Compare pool choices: Quantify how much each new character class contributes to the keyspace instead of relying on a vague 'add complexity' slogan.
• • Translate entropy to attack time: Pair the bit count with a guess rate to get hours, days, or years of expected work, which is what auditors and threat models actually need.
• • Pick the cheapest policy that holds: Use the calculator to find the smallest pool and length that still exceed a target entropy, instead of forcing every account to memorize 20 random characters.
• • Explain the math to non-specialists: Show stakeholders the actual formula N^L and a worked example so password rules stop being a black box.

A single uniform guess matches with probability 1 / N^L, and the probability calculator turns that small probability into a clear fraction or percentage.

The combination count is sensitive to the size of the pool, the length of the password, and whether the policy allows repeated characters.

• • The N^L keyspace and the L * log2(N) entropy figure assume the password is chosen uniformly at random from the pool. Real users pick from a much smaller effective pool, so the true attack cost is usually far below the calculator's number. NIST SP 800-63B uses L * log2(N) only for randomly chosen memorized secrets, not for human-chosen passwords.
• • Brute-force time assumes the attacker can run at the chosen guess rate for the full duration. Real systems use rate limiting, account lockouts, hashed and salted storage, and hardware security modules that change the effective cost by many orders of magnitude and are not part of the keyspace calculation.

According to Wikipedia Password Strength, password entropy in bits for a password chosen uniformly at random from a pool of N characters and length L is H = L * log2(N), and the average number of brute-force guesses needed to find such a password is N^L / 2

If you need the probability that at least k of L independent positions fall in a chosen character class, the binomial distribution calculator evaluates the underlying binomial sum.