Password Strength and Entropy
Table of Contents
Understanding Entropy in Bits
Entropy is the fundamental measure of password strength, borrowed from information theory. In the context of passwords, entropy quantifies the amount of uncertainty or randomness in a password, expressed in bits. Each bit of entropy doubles the number of possible passwords an attacker must consider, making the password exponentially harder to crack.
The concept of entropy was introduced by Claude Shannon in his landmark 1948 paper "A Mathematical Theory of Communication." When applied to passwords, entropy tells us how many bits of information an attacker would need to guess the password. A password with 40 bits of entropy has 2^40 (approximately 1.1 trillion) possible combinations, while a password with 80 bits of entropy has 2^80 (approximately 1.2 × 10^24) possible combinations.
It is important to distinguish between information entropy (true randomness) and practical entropy (what attackers actually face). If you choose a password by thinking of a word and making some substitutions, the theoretical entropy might be high based on the character set, but the practical entropy is much lower because attackers know humans are predictable. A truly random 8-character password has about 52 bits of entropy, but a human-chosen 8-character password typically has only 20-30 bits.
Entropy scales linearly with password length for a given character set. Adding one character to a password increases its entropy by log₂(N) bits, where N is the size of the character pool. For lowercase letters (N=26), each additional character adds about 4.7 bits. For the full printable ASCII set (N=95), each character adds about 6.6 bits. This linear scaling means that doubling the length of a password adds a fixed number of bits, regardless of the starting length.
The practical minimum entropy for a password that should resist offline attacks is approximately 60 bits. For passwords protecting critical accounts (email, banking), aim for 80 bits or more. The master password for your password manager should ideally have 100+ bits of entropy, as it protects all your other credentials.
Character Pool Size and Mathematics
The character pool is the set of characters from which a password is constructed. The size of this pool is a critical factor in password strength. A larger character pool means more possible combinations for each character position, increasing the entropy per character.
Common character pools and their sizes include:
- Digits only (0-9): 10 characters — log₂(10) = 3.32 bits per character
- Lowercase letters (a-z): 26 characters — log₂(26) = 4.70 bits per character
- Letters (a-z, A-Z): 52 characters — log₂(52) = 5.70 bits per character
- Alphanumeric (a-z, A-Z, 0-9): 62 characters — log₂(62) = 5.95 bits per character
- Printable ASCII (all): 95 characters — log₂(95) = 6.57 bits per character
- Extended ASCII: 256 characters — log₂(256) = 8.00 bits per character
- Unicode (common): ~150,000 characters — log₂(150000) = 17.19 bits per character
The formula for total password entropy is straightforward: E = L × log₂(N), where L is the password length and N is the character pool size. This formula assumes each character is chosen independently and uniformly at random from the pool. If characters are not chosen randomly (as when humans pick passwords), the effective entropy is significantly lower.
Consider two passwords: "abcdefgh" (8 lowercase characters) and "aB3$kL9@" (8 mixed characters). The first has 8 × 4.70 = 37.6 bits of entropy, while the second has 8 × 6.57 = 52.6 bits. The mixed-character password is about 2^15 = 32,768 times stronger. However, a 12-character lowercase password "abcdefghijkl" has 12 × 4.70 = 56.4 bits, surpassing both 8-character passwords despite using a smaller character set.
This mathematical reality explains why security experts increasingly recommend length over complexity. Each additional character multiplies the search space by the character pool size, while using a larger pool only adds a fixed multiplicative factor. A 20-character lowercase password (94 bits) is stronger than a 12-character password using all 95 printable ASCII characters (78.8 bits).
Brute Force Time Calculations
Brute force attacks systematically try every possible password combination until the correct one is found. The time required depends on the number of possible passwords and the attacker's guessing speed. Understanding these calculations helps you choose passwords that remain secure against realistic threat models.
Modern password cracking hardware is extraordinarily fast. A single high-end GPU can make approximately 10 billion MD5 hash attempts per second. Specialized rigs with multiple GPUs can reach 100+ billion attempts per second for fast hashing algorithms. For slower algorithms like bcrypt, the rate drops to thousands or millions per second, which is why algorithm choice matters as much as password strength.
The time to crack a password by brute force is calculated as: T = N^L / (2 × S), where N is the character pool size, L is the password length, S is the guesses per second, and we divide by 2 because on average an attacker finds the password halfway through the search (average case).
| Password | Entropy (bits) | Combinations | @ 1B/sec (MD5) | @ 100K/sec (bcrypt) |
|---|---|---|---|---|
| 8 lowercase | 37.6 | 2.09 × 10¹¹ | ~1.7 minutes | ~17 days |
| 8 mixed case + digits | 47.6 | 2.18 × 10¹⁴ | ~1.2 days | ~34 years |
| 8 all 95 chars | 52.6 | 6.63 × 10¹⁵ | ~38 days | ~1,052 years |
| 12 lowercase | 56.4 | 9.54 × 10¹⁶ | ~1.5 years | ~15,127 years |
| 12 all 95 chars | 78.8 | 5.40 × 10²³ | ~8.6 million years | ~85.7 billion years |
| 16 lowercase | 75.3 | 4.36 × 10²² | ~691,000 years | ~6.9 billion years |
| 16 all 95 chars | 105.1 | 4.40 × 10³¹ | ~698 trillion years | ~6.98 × 10¹⁸ years |
These calculations assume the attacker must try every combination (worst case is twice the average case). In practice, attackers use dictionary attacks, rule-based mutations, and intelligent patterns to crack common passwords much faster than pure brute force. A password like "P@ssw0rd123" has high theoretical entropy but can be cracked in seconds using rule-based attacks that try common substitution patterns.
It is worth noting that these time estimates assume a single attacker with a single machine. Nation-state actors and well-funded criminal organizations can deploy thousands of machines in parallel, potentially reducing crack times by orders of magnitude. For high-value targets, assume the attacker has resources 100-1000 times greater than a single GPU.
Password Strength Meters
Password strength meters are tools that estimate the security of a password in real time as you type. They are commonly found on registration forms and password creation screens. While they provide useful feedback, it is important to understand their limitations.
Most password strength meters use simplified heuristics rather than true entropy calculations. They typically evaluate:
- Length: Longer passwords receive higher scores
- Character variety: Using uppercase, lowercase, numbers, and symbols increases the score
- Dictionary words: Common words reduce the score
- Common patterns: Sequential characters (abc, 123) and repeated characters reduce the score
- Known breaches: Advanced meters check against databases of compromised passwords
The most well-known password strength estimation library is zxcvbn, developed by Dropbox. Unlike simple heuristic meters, zxcvbn uses pattern matching and entropy estimation to provide more accurate strength assessments. It recognizes common passwords, names, dates, keyboard patterns (qwerty, asdf), and repeated characters. It also identifies when a password is a simple modification of a common word (like "P@ssw0rd").
Limitations of password strength meters include:
- They cannot account for passwords that have already been leaked in breaches (unless specifically integrated with breach databases)
- Different meters give different scores for the same password, leading to inconsistent feedback
- They may encourage poor habits by rewarding complexity over length (e.g., "P@ssw0rd!" might score higher than "correct horse battery staple")
- They cannot predict future advances in cracking techniques
- Simple meters may not recognize sophisticated dictionary attacks or pattern-based cracking rules
For the most accurate password strength assessment, use tools based on zxcvbn or similar entropy-based estimation libraries. Better yet, use a password manager to generate passwords, which guarantees maximum entropy without relying on heuristic scoring.
Password Strength Comparison
The following comprehensive comparison table shows how different password configurations compare in terms of entropy, number of possible combinations, and estimated crack times against various attack scenarios. Use this table to understand the security implications of your password choices.
| Configuration | Character Pool | Entropy/Char | 8 chars | 12 chars | 16 chars | 20 chars |
|---|---|---|---|---|---|---|
| Digits only | 10 | 3.32 bits | 26.6 bits | 39.9 bits | 53.2 bits | 66.4 bits |
| Lowercase only | 26 | 4.70 bits | 37.6 bits | 56.4 bits | 75.3 bits | 94.0 bits |
| Mixed case | 52 | 5.70 bits | 45.6 bits | 68.4 bits | 91.2 bits | 114.0 bits |
| Alphanumeric | 62 | 5.95 bits | 47.6 bits | 71.4 bits | 95.2 bits | 119.0 bits |
| All printable ASCII | 95 | 6.57 bits | 52.6 bits | 78.8 bits | 105.1 bits | 131.4 bits |
This table clearly shows the advantage of longer passwords. A 20-character lowercase-only password (94 bits) is stronger than an 8-character password using all 95 printable ASCII characters (52.6 bits). The difference is dramatic: the 20-character lowercase password has approximately 2^41 = 2.2 trillion times more possible combinations.
When choosing a password strategy, consider this trade-off: adding 4 characters to a lowercase password adds 18.8 bits of entropy, while switching from lowercase to all printable ASCII adds only 15 bits for the same length. Length improvements consistently outperform character set improvements.
NIST Password Guidelines
The National Institute of Standards and Technology (NIST) publishes the most influential password guidelines through Special Publication 800-63B. The latest revision (2024) represents a significant shift from traditional password advice, reflecting decades of research into how people actually create and use passwords.
Key changes in the updated NIST guidelines include:
- No more periodic password changes: NIST now recommends against forced password rotation. Research showed that forced changes lead to predictable patterns (Password1, Password2) that actually decrease security.
- No complexity requirements: The guidelines no longer mandate uppercase, lowercase, numbers, and symbols. Instead, they focus on length as the primary security factor.
- Minimum 8 characters: User-chosen passwords should be at least 8 characters long. Machine-generated passwords should be at least 6 characters.
- Maximum 64 characters: Systems should accept passwords up to at least 64 characters to accommodate passphrases.
- Check against breach databases: Passwords should be checked against known compromised password lists before acceptance.
- No password hints: Systems should not allow password hints, as they often reveal the password to attackers.
- Allow paste functionality: Systems must allow password pasting to enable password managers.
- Rate limiting: Implement rate limiting and account lockout to prevent brute force attacks.
The NIST guidelines represent a paradigm shift from "make passwords complex" to "make passwords long and unique." This aligns with the mathematical reality that length provides more security per character than complexity, and that human-friendly passwords (passphrases) are both stronger and more memorable than complex but short passwords.
Organizations should also consider implementing passwordless authentication methods where possible, such as FIDO2/WebAuthn hardware keys, biometric authentication, or magic links sent via email. These methods eliminate the weaknesses inherent in password-based authentication entirely.
Measuring Your Password Entropy
Calculating the entropy of a password you have already created is different from calculating the entropy of a randomly generated password. For randomly generated passwords, you can use the formula E = L × log₂(N) because you know the exact character pool and that each character was chosen uniformly at random.
For human-chosen passwords, the effective entropy is typically much lower than the theoretical maximum. A password like "Sunshine2024!" might use characters from a pool of 95, giving a theoretical entropy of 14 × 6.57 = 92 bits. However, the effective entropy is far lower because the password follows predictable patterns: a common English word, a year, and a symbol at the end.
To estimate the effective entropy of a human-chosen password, consider these reduction factors:
- Dictionary words: If the password contains a dictionary word, the entropy of that segment is approximately log₂(dictionary_size) rather than log₂(95) × word_length
- Common patterns: Keyboard walks (qwerty), sequences (abc, 123), and repetitions (aaa) have very low entropy
- Predictable structures: The pattern "Word + Year + Symbol" is so common that it reduces the effective search space dramatically
- Personal information: Names, dates, and other personal information have near-zero entropy for targeted attacks
The best way to ensure your password has maximum entropy is to use a password manager to generate it randomly. If you must create a password manually, use the Diceware method to generate a passphrase from a word list, which ensures the entropy is calculable and maximized for the given length.
Future-Proofing Your Passwords
Password security is not static. Computing power increases roughly according to Moore's Law (doubling every 18-24 months), and new cracking techniques are regularly discovered. A password that is secure today might be crackable in a decade. Future-proofing your passwords means choosing configurations that remain secure against projected advances in computing.
Quantum computing poses a theoretical threat to password security. Grover's algorithm could potentially halve the effective entropy of passwords by providing a quadratic speedup for brute force searches. This means a password with 80 bits of classical entropy would have only 40 bits of quantum entropy. To prepare for this possibility, aim for passwords with at least 128 bits of entropy for long-term security.
Practical steps for future-proofing:
- Use passwords of 16+ characters for important accounts
- Prefer passphrases of 5+ random words for memorized passwords
- Use password managers to generate maximum-entropy random passwords
- Enable the strongest available authentication method (hardware keys > authenticator apps > SMS)
- Monitor breach databases and change passwords immediately if compromised
- Stay informed about advances in password cracking techniques
The most robust approach is to combine strong passwords with multi-factor authentication. Even if your password is eventually cracked, the additional authentication factor prevents unauthorized access. As authentication technology evolves, transition to passwordless methods that eliminate password-related risks entirely.