Password entropy is a measurement of how unpredictable a password is. It is expressed in bits and calculated based on the size of the character set used and the length of the password. Higher entropy means more possible combinations, making the password harder to crack.
How Entropy Is Calculated
The formula is: Entropy = log2(N^L) where N is the number of possible characters and L is the password length.
| Character Set | Pool Size (N) | 12 chars (bits) | 20 chars (bits) |
|---|---|---|---|
| Lowercase only (a-z) | 26 | 56 bits | 94 bits |
| Lower + uppercase | 52 | 68 bits | 114 bits |
| Alphanumeric | 62 | 71 bits | 119 bits |
| Full printable ASCII | 95 | 79 bits | 131 bits |
| 4 random words (passphrase) | ~7,776 (dice list) | N/A | ~77 bits (4 words) |
How Much Entropy Is Enough?
- Below 40 bits: Easily cracked with modern hardware
- 40-60 bits: Weak to moderate - crackable given enough time
- 60-80 bits: Reasonable for most personal accounts
- 80-100 bits: Strong - sufficient for most threat models
- 100+ bits: Very strong - appropriate for high-value accounts
Why Patterns Reduce Entropy
Entropy assumes the password is truly random. Human-chosen passwords (p@ssw0rd, Fido2019!) have much lower real-world entropy than their mathematical calculation suggests because attackers use dictionaries with common substitution patterns, not pure brute force.
People Also Ask
- What does entropy mean in passwords?
- It is a measure of randomness or unpredictability. A password with high entropy has many possible values, making it hard to guess even with powerful computers.
- How much entropy for a good password?
- Aim for at least 80 bits for important accounts. A random 16-character password using mixed character types achieves approximately 105 bits.
Related: How long to crack a password | Password Strength Checker | Password Generator