Understanding Password Entropy
Learn how password entropy is calculated and why it matters. Understand the relationship between character set size, password length, and bits of entropy — the true measure of password strength.
Detailed Explanation
What Is Password Entropy?
Entropy is the mathematical measure of randomness in a password. It quantifies how many guesses an attacker would need, on average, to crack the password through brute force. Entropy is measured in bits.
The Formula
H = L * log2(C)
Where:
- H = entropy in bits
- L = password length
- C = size of the character pool
Each bit of entropy doubles the number of possible combinations.
Character Pool Sizes
| Character Set | Pool Size (C) | Bits per Char |
|---|---|---|
| Digits only | 10 | 3.32 |
| Lowercase only | 26 | 4.70 |
| Lowercase + digits | 36 | 5.17 |
| Mixed case | 52 | 5.70 |
| Alphanumeric | 62 | 5.95 |
| All printable ASCII | 95 | 6.57 |
Entropy Examples
8-char lowercase: 8 * 4.70 = 37.6 bits
8-char alphanumeric: 8 * 5.95 = 47.6 bits
8-char all ASCII: 8 * 6.57 = 52.6 bits
12-char alphanumeric: 12 * 5.95 = 71.4 bits
16-char all ASCII: 16 * 6.57 = 105.1 bits
4-word Diceware: 4 * 12.9 = 51.7 bits
6-word Diceware: 6 * 12.9 = 77.5 bits
Entropy Security Levels
| Bits | Security Level | Suitable For |
|---|---|---|
| < 28 | Very Weak | Nothing (trivially crackable) |
| 28-35 | Weak | Low-value accounts only |
| 36-59 | Moderate | Standard online accounts |
| 60-79 | Strong | Important accounts |
| 80-99 | Very Strong | Financial, email, admin |
| 100+ | Excellent | Encryption keys, master passwords |
Important Caveats
Entropy only applies to truly random passwords. If a user chooses Password1!, the theoretical entropy of a 10-character mixed-charset password (~66 bits) is meaningless — the actual entropy is near zero because it appears in every dictionary attack list.
Entropy vs. Crack Time
Crack time depends on the attacker's speed:
Time = 2^(H-1) / guesses_per_second
At 10 billion guesses/second (high-end GPU cluster):
| Entropy | Average Crack Time |
|---|---|
| 40 bits | ~55 seconds |
| 60 bits | ~1.8 years |
| 80 bits | ~1.9 million years |
| 100 bits | ~2 billion years |
| 128 bits | ~5.4 x 10^17 years |
Beyond Entropy: Practical Security
High entropy is necessary but not sufficient. A secure password also requires:
- Uniqueness — never reused across services
- Secure storage — hashed with Argon2id/bcrypt server-side
- Breach monitoring — checked against known compromised databases
- MFA — entropy is a single layer; add additional factors
Use Case
Understanding entropy helps developers set appropriate password policies, security auditors evaluate system configurations, and users make informed decisions about password length and complexity. It provides the mathematical foundation for answering the question: how strong is this password really?