brtc: A CLI Tool to Convert Password Strength into "Time to Crack and a Real USD Invoice"

Introduction If you're an engineer, you've likely debated "Is this password strong enough?" when designing a password policy. The metric most commonly used in these discussions is entropy (information density) . For example, "It's an 8-character alphanumeric password, so the entropy is about 41 bits..." However, even when presented with this number, it's hard for non-engineers (or even engineers unfamiliar with infrastructure) to feel a visceral sense of danger. That's why I created brtc (Brute-force Cost) , a CLI tool that takes abstract entropy numbers and converts them into a "real invoice" (time and cloud compute costs) that anyone can understand: "How much would it cost to brute-force this using modern computing resources (GPUs or clusters)?" What is "Entropy"? (Quantifying Password Strength) When discussing password strength, two things are essential: Character Space ( RR R ) and Length ( LL L ) . For example, let's say a password is the 5-letter string apple , consisting solely