obfus.link

Password Entropy is a two-mode analyzer. Password mode computes Shannon entropy in bits, classifies strength from weak to extreme, and estimates crack time at ten billion guesses per second. Policy mode audits a policy's theoretical search space, grades A through F, and checks compliance against NIST eight hundred sixty-three B for composition rules and minimum length.

Tier 2validators✓ TDD Verified

Password Entropy

Score password strength and audit policy compliance against NIST 800-63B

Analyzed locally · never transmitted in plaintext · omitted from copy output

How to use

  1. Pick modeAnalyze Password to score a single password, or Audit Policy to grade a policy definition.
  2. Password modeEnter the password. The analyzer runs locally — the password is never transmitted in plaintext and is omitted from the copyable report.
  3. Policy modeSet minLength, optional maxLength, and toggle any class requirements (upper, lower, digit, special). Enable NIST 800-63B check to get a per-requirement compliance audit.
  4. RunClick Analyze/Audit or press Ctrl+Enter. Issues appear at the top with severity boxes; strength tier or policy grade follows; NIST findings (if requested) appear below.
Read technical article

MCP / API

Call password_entropy directly from any MCP-compatible agent:

// MCP TypeScript SDK
const result = await client.callTool({
  name: "password_entropy",
  arguments: {
    "mode": "password",
    "nistCompliance": false
  }
});

// curl
curl -X POST https://obfus.link/mcp \
  -H "Authorization: Bearer <SPT>" \
  -H "Content-Type: application/json" \
  -d '{"method":"tools/call","params":{"name":"password_entropy","arguments":{"mode":"password","nistCompliance":false}}}'

Related tools

Hash Generator
Generate MD5, SHA-256, SHA-512, BLAKE3 and more in one call
HMAC Generator
Generate and verify HMAC signatures with Stripe, GitHub, Twilio, Shopify, Slack templates
JWT Hardener
Audit and harden JWT tokens with security scoring and diff output

FAQ

How is entropy calculated?

Shannon entropy: length × log2(charset_size). The charset is derived from which character classes the password actually uses (lowercase=26, uppercase=26, digits=10, special=32, unicode adds ~100). For policies, the charset is derived from which classes are required (the conservative floor). 30 bits is weak, 60+ is strong, 128+ is extreme.

What does the policy grade mean?

Theoretical entropy at minLength with the required charset. A ≥ 80 bits (effectively uncrackable), B ≥ 65, C ≥ 50, D ≥ 35, F < 35 (insufficient even for casual attackers). Grade reflects the minimum a policy permits — actual user passwords often exceed this floor.

Why does NIST 800-63B fail composition rules?

NIST research found that composition rules ("must contain uppercase, digit, special") push users toward predictable patterns like "Password1!" — adding entropy on paper but losing it to dictionary-attack heuristics. The current guidance is length over composition: enforce a longer minimum and screen against breached passwords instead.

Is my password sent to the server?

The Surface A web UI passes the password to the server action, which runs the analyzer in memory and returns the result. The password is NOT logged, persisted, or transmitted to any third party. The deterministicHash in metadata is computed over the password length and policy shape only — never the plaintext password.

Can I use this tool via the MCP API?

Yes. The tool is registered on the obfus.link MCP server at https://obfus.link/mcp. Call it from any MCP-compatible agent with a Shared Payment Token. The MCP tool name matches the snake_case slug shown in the integration snippet.