Password Entropy: How to Measure Password Strength Mathematically
Understand password entropy, how it measures password strength against brute force attacks, and how character set size and length affect security.
What Is Password Entropy?
Password entropy is a mathematical measure of how difficult a password is to guess. It quantifies the number of possible combinations an attacker would need to try in a brute-force search and expresses that number in bits — the unit of information theory developed by Claude Shannon. Every additional bit of entropy doubles the difficulty of cracking the password. A password with 40 bits of entropy has 2^40 possible combinations — about 1 trillion — and would take a modern computer a few hours to brute force. A password with 80 bits would take billions of years.
Understanding entropy enables you to evaluate password strength objectively, compare different password strategies, and make informed decisions about password policies for yourself or your organization. It also explains why password length matters far more than character complexity.
The Entropy Formula
The entropy of a password depends on two factors: the size of the character set (N) and the length of the password (L). The formula is: Entropy = L × log₂(N). The character set size depends on the types of characters used: lowercase letters (26), uppercase letters (26), digits (10), and special characters (approximately 33). A password using all four types has a character set of 26 + 26 + 10 + 33 = 95 possible characters per position.
For a 12-character password using all 95 characters: Entropy = 12 × log₂(95) = 12 × 6.57 = 78.8 bits. This means there are 2^78.8 ≈ 3 × 10^23 possible passwords — far beyond the cracking capability of any current technology.
Swipe sideways to compare columns.
| Length | Lowercase Only (26) | Lower + Upper (52) | All Characters (95) |
|---|---|---|---|
| 6 | 28.2 bits | 34.2 bits | 39.4 bits |
| 8 | 37.6 bits | 45.6 bits | 52.6 bits |
| 10 | 47.0 bits | 57.0 bits | 65.7 bits |
| 12 | 56.4 bits | 68.4 bits | 78.8 bits |
| 14 | 65.8 bits | 79.8 bits | 91.9 bits |
| 16 | 75.2 bits | 91.2 bits | 105.1 bits |
Why Common Patterns Collapse Entropy
The entropy formula assumes that each character is chosen uniformly at random from the character set. In practice, humans do not choose randomly. We use dictionary words, names, dates, keyboard patterns, and simple substitutions (like P@ssw0rd). These patterns dramatically reduce effective entropy because attackers use word lists, rule-based attacks, and probability models rather than pure brute force.
A password like "Tr0ub4dor&3" appears complex with all character types (95^11 ≈ 5 × 10^21 possibilities in theory). But in practice, it is a common word with simple substitutions and a trailing symbol — patterns well-known to cracking software. Its effective entropy might be only 28-30 bits, crackable in minutes. This is why the NIST guidelines recommend passphrases over complex passwords.
Passphrases and Diceware Entropy
Passphrases — sequences of random common words — provide high entropy while being memorable. The Diceware method uses a word list of 7,776 words (6^5, generated by five dice rolls). Each word contributes log₂(7776) = 12.9 bits of entropy. A 4-word Diceware passphrase has approximately 51.6 bits of entropy, comparable to a 9-character random password with all character types.
A 6-word Diceware passphrase (77.4 bits) provides excellent security with words like "correct horse battery staple" that are easy to remember but resistant to attacks because the words are randomly selected from a large list. The key is actual randomness — choosing your own words reduces entropy because human word choices are predictable.
Swipe sideways to compare columns.
| Password Type | Length | Entropy | Crack Time (1 trillion/s) |
|---|---|---|---|
| 4-word Diceware | varies | 51.6 bits | ~2 hours |
| 8-char random (95 set) | 8 | 52.6 bits | ~4 hours |
| 6-word Diceware | varies | 77.4 bits | ~10 million years |
| 12-char random (95 set) | 12 | 78.8 bits | ~15 million years |
| 8-word Diceware | varies | 103.2 bits | ~10^19 years |
| 16-char random (95 set) | 16 | 105.1 bits | ~10^20 years |
Practical Password Strength Guidelines
Current security recommendations balance entropy against usability. For most online services, 64 bits of entropy is a reasonable target — providing good security without requiring unusably long passwords. For high-value accounts (password managers, email, financial accounts), target 80+ bits. For encryption keys and administrator access, 128+ bits is appropriate.
Use a password manager to generate and store high-entropy passwords — typically 16+ random characters (105+ bits). Enable multi-factor authentication as a second layer of defense. For passwords you must remember, use a passphrase of 5-7 random words (64-90 bits) rather than trying to remember a complex random string.
Measure Password Strength
Password Strength CalculatorUse our Password Strength Calculator to measure entropy, estimate crack time, and compare different password strategies for optimal security.Frequently Asked Questions
How fast can modern computers crack passwords?
A consumer GPU can try 10-30 billion passwords per second for NTLM hashes. Specialized hardware like FPGA arrays can reach trillions per second. Against online services with rate limiting, the speed drops to just a few attempts per second. The crack time estimates assume the attacker has obtained the password hash, not that they are trying to log in directly.
Does requiring special characters actually help?
Yes, but less than increasing length. Adding special characters to the character set increases entropy per character from 5.7 bits (lowercase only) to 6.6 bits (all 95 characters) — a 16% improvement. Increasing length by 2 characters doubles entropy regardless of character set. Length is more effective.
How often should I change my passwords?
Current NIST guidelines recommend changing passwords only when there is evidence of compromise. Frequent forced changes lead users to choose weaker passwords with predictable patterns. Use unique passwords for each account via a password manager, enable MFA where available, and change passwords immediately if a service reports a breach.