Password Entropy Explained
Understand password entropy — the mathematical measure of password randomness. Learn how character pool size, length, and true randomness combine to determine password strength in bits.
Detailed Explanation
What Is Password Entropy?
Entropy is the mathematical measure of uncertainty or randomness in a password. It quantifies the average number of guesses an attacker would need to crack a password through brute force. Entropy is measured in bits — each additional bit doubles the number of possible combinations.
The Formula
H = L × log2(C)
Where:
- H = entropy in bits
- L = password length
- C = size of the character pool
For example, a 12-character password using the full printable ASCII set (95 characters):
H = 12 × log2(95) = 12 × 6.57 = 78.8 bits
Character Pool Sizes
| Character Set | Pool Size (C) | Bits per Character |
|---|---|---|
| Digits only (0-9) | 10 | 3.32 |
| Lowercase only (a-z) | 26 | 4.70 |
| Lowercase + digits | 36 | 5.17 |
| Mixed case (a-z, A-Z) | 52 | 5.70 |
| Alphanumeric | 62 | 5.95 |
| Full printable ASCII | 95 | 6.57 |
Entropy Security Levels
| Bits | Security Level | Typical Use |
|---|---|---|
| < 28 | Very Weak | Easily cracked in seconds |
| 28–40 | Weak | Low-value, throwaway accounts only |
| 40–59 | Moderate | Standard online accounts |
| 60–79 | Strong | Important accounts (email, banking) |
| 80–99 | Very Strong | Admin, infrastructure, financial |
| 100+ | Excellent | Encryption keys, master passwords |
Why Entropy Matters More Than Rules
Traditional complexity rules ("must include uppercase, digit, and symbol") give a false sense of security. A password like P@ssw0rd! satisfies every rule yet has near-zero effective entropy because it follows a predictable pattern found in every dictionary attack list.
True entropy comes from randomness — specifically, from using a cryptographically secure random number generator (CSPRNG) to select each character independently. When a password is truly random, the formula above accurately predicts its resistance to brute-force attacks.
Practical Entropy Targets
- General web accounts: aim for at least 60 bits
- High-security accounts (email, banking, password manager): at least 80 bits
- Encryption keys and master passwords: 100+ bits
A password strength analyzer calculates entropy by examining the character pool actually used and the password length, then compares the result against these thresholds.
Use Case
Understanding entropy is essential for anyone evaluating password policies — developers building authentication systems, security auditors reviewing configurations, and everyday users who want to know whether their passwords are genuinely strong or merely satisfy superficial complexity checkboxes.