Password entropy is a measure of password strength expressed in bits. Higher entropy means more possible combinations and greater resistance to brute-force attacks. It is calculated from the character set size and password length.
How Password Entropy Works
The formula: Entropy = log₂(C^L) = L × log₂(C), where C is the number of possible characters and L is the password length. Character sets: lowercase (26), + uppercase (52), + digits (62), + symbols (~95).
Entropy Benchmarks
- Below 28 bits: Very weak — crackable in seconds
- 28-35 bits: Weak — minutes to hours
- 36-59 bits: Moderate — days to months
- 60-127 bits: Strong — years to centuries
- 128+ bits: Very strong — effectively uncrackable with current technology
Real-World Example
Password "cat123" (6 chars, lowercase+digits = 36 options): entropy = 6 × log₂(36) = 31 bits — crackable in minutes. Password "Tr0ub4dor&3" (11 chars, full set of 95): entropy = 11 × log₂(95) = 72 bits — would take centuries. A 4-word passphrase "correct-horse-battery-staple" from a 7,776-word list: 4 × log₂(7,776) = 51 bits — strong and memorable.
Frequently Asked Questions
How many bits of entropy do I need?
For most online accounts, 50-60 bits is adequate (accounts lock after failed attempts). For offline attacks (encrypted files, password databases), aim for 80+ bits. For critical systems, 128+ bits provides maximum security.
Are passphrases better than complex passwords?
Often yes. A 4-5 word passphrase (e.g., "purple-mountain-bicycle-sunset") is typically both stronger and easier to remember than a short complex password (e.g., "X9#kL!"). Length contributes more to entropy than character complexity.
Does password entropy account for dictionary attacks?
Standard entropy assumes random character selection. Real passwords often use dictionary words, patterns, and substitutions that reduce effective entropy. A password like "Password1!" has theoretical entropy of ~66 bits but is cracked instantly by dictionary attacks.