Understanding Password Entropy
Introduction to Information Theory in Security
When we describe a password as “strong” or “weak,” we are using subjective terms. In cybersecurity and cryptography, we need an objective, mathematical measurement to evaluate a password’s resistance to guessing attacks. This metric is Password Entropy, which is derived from Claude Shannon’s information theory.
Entropy measures the uncertainty or unpredictability of a value. In the context of passwords, it tells us how many bits of information are contained in the credential, which translates directly to the number of attempts a hacker would need to guess it.
The Entropy Formula
The formula used to calculate password entropy is:
$$E = L \times \log_2(R)$$
Where:
- $E$ is the entropy in bits.
- $L$ is the length of the password.
- $R$ is the size of the character pool (the range of possible characters).
The Character Pool ($R$)
To find $R$, we identify which character sets are used:
- Lowercase letters (a-z): 26 characters.
- Uppercase letters (A-Z): 26 characters.
- Numbers (0-9): 10 characters.
- Special symbols (e.g., !@#$%^&*): 33 characters (standard ASCII symbols).
If a password uses lowercase, numbers, and symbols, the character pool is $R = 26 + 10 + 33 = 69$.
Step-by-Step Entropy Calculations
Let’s calculate the entropy for three different password structures:
Case 1: Simple Password (secret)
- Length ($L$): 6.
- Character Pool ($R$): 26 (lowercase only).
- Calculation: $6 \times \log_2(26) \approx 6 \times 4.7004 = 28.2\text{ bits}$.
- Verdict: Extremely weak. Easily cracked instantly.
Case 2: Complex Short Password (K9#b$1)
- Length ($L$): 6.
- Character Pool ($R$): 94 (mixed letters, numbers, symbols).
- Calculation: $6 \times \log_2(94) \approx 6 \times 6.5546 = 39.3\text{ bits}$.
- Verdict: Weak. Vulnerable to offline GPU cracking rigs.
Case 3: Random Long Password (k8#Mx9!pQ2tZ)
- Length ($L$): 12.
- Character Pool ($R$): 94.
- Calculation: $12 \times \log_2(94) \approx 12 \times 6.5546 = 78.65\text{ bits}$.
- Verdict: Highly Secure. Suitable for critical accounts.
Understanding the Entropy Scale
Bits of entropy scale exponentially. Every single bit of entropy added doubles the difficulty of cracking the password. Here is the standard scale:
| Entropy Range | Strength Rating | Security Status |
|---|---|---|
| Under 40 Bits | Very Weak | Vulnerable to instant cracking by basic script tools. |
| 40 to 59 Bits | Weak | Can survive basic online audits, but falls to offline GPU brute force. |
| 60 to 79 Bits | Medium | Secure enough for standard retail or social media profiles. |
| 80 to 99 Bits | Strong | Safe for corporate accounts and primary email logins. |
| 100+ Bits | Extremely Strong | Immune to brute-force attacks by modern hardware clusters. |
Entropy of Passphrases (Diceware)
When generating passphrases using words rather than characters, we use the Diceware method. If we select words from a list of 7,776 words (which corresponds to rolling 5 dice for each word):
- Each word selected provides $\log_2(7776) \approx 12.92\text{ bits}$ of entropy.
- A 5-word passphrase yields $5 \times 12.92 = 64.6\text{ bits}$ of entropy.
- A 6-word passphrase yields $6 \times 12.92 = 77.5\text{ bits}$ of entropy.
Because Diceware passphrases choose words completely at random, they lack any grammatical syntax, making them highly resistant to dictionary-cracking algorithms. You can evaluate your password’s details using our Entropy Calculator.