Definition

password entropy

Robert Sheldon

By

Robert Sheldon

What is password entropy?

Password entropy is a measurement of a password's strength based on how difficult it would be to crack the password through guessing or a brute-force attack. A password's entropy is typically based on the type of characters used -- lowercase letters, uppercase letters, numerical digits or special characters -- and the password's length, or total number of characters.

Password entropy predicts how long it will take to crack a password if sustained attempts to hack it are carried out consistently over a period of time, such as 1,000 attempts per second. For example, a brute-force attack might be able to crack the password accidental in about 58 minutes, according to Security.org, but it might take 7 quadrillion years to crack the password ac@xC1d!3aTlx4$3Hg using today's technology.

Password entropy is usually expressed in terms of bits. The lower the number of bits, the easier it is to guess the password. The higher the number, the more difficult it becomes to crack. An already-known password has 0 bits of entropy; one that can be guessed on the first attempt half the time has 1 bit of entropy. The password accidental has an entropy of 47 bits, and the password ac@xC1d!3aTlx4$3Hg has an entropy of 117.98 bits, which is a very strong password.

Chart listing some areas where real-world practices fall short of password best practices. — NIST offers guidelines for organizations that manage user passwords to help improve password hygiene.

The National Institute of Standards and Technology (NIST) provides the following guidelines for organizations that manage user passwords:

Set a minimum limit for the password length, such as eight characters.
Make it possible to create long passwords of at least 64 characters, and encourage users to create longer passwords.
Don't impose rules about character usage that result in users focusing more on satisfying the rules than on creating good passwords.
Use a blocklist to prevent users from creating common passwords.
Encourage users to avoid using personal information or easy-to-guess formulas in their passwords.
Don't require users to change their passwords arbitrarily, but require them to change their passwords if there is a suspected security breach.

The goal is not to create passwords that are overly complex and difficult to remember, but rather to choose ones that are more memorable yet not easily guessed by anyone else. A user can often remember a longer, simpler passphrase better than a shorter password with an odd mix of characters, and the longer password might also have a greater entropy.

Chart comparing a password vs. a passphrase.

How is password entropy calculated?

A password's entropy can be determined by calculating the base-2 logarithm of the number of possible characters multiplied by the password's length, as expressed by the following formula.

E = log₂(R^L)

In this formula, E represents the amount of password entropy in bits, R equals the total number of possible characters, and L equals the password's length.

To determine the number of possible characters, you must first identify the types of characters included in the password. The four types commonly used are lowercase letters, uppercase letters, numerical digits, and special characters or symbols. For each included type, you must determine the total number of possible characters in that character set and then add all the set totals together.

The following totals show the breakdown for each character set as they appear on a typical American QWERTY keyboard:

Lowercase letters (a-z) = 26.
Uppercase letters (A-Z) = 26.
Numerical digits (0-9) = 10.
Special characters (!, @, #, $, %, ^, etc.) = 32.

For example, if a password includes only lowercase letters and numerical digits, you would add 26 and 10 to come up with 36 total possible characters for that password. If a password includes all four types, the total number of possible characters is 94, or 26 + 26 + 10 + 32. Note that some entropy calculations include the space, which raises the total to 95. The following examples should help to make all this clearer.

The first example demonstrates how to calculate the entropy for the password quadrants, which uses only lowercase letters and is nine characters long. To calculate the total number of possible characters, you would normally start by adding the included character sets together. In this case, however, the password contains only lowercase letters, so there is only one set of 26 characters, which means that there are only 26 possible characters. Therefore, the R value in the equation is 26, and the L value is 9 to reflect the password's length.

R = 26 (possible characters)

L = 9 (total characters)

You can now plug these figures into the entropy formula and calculate the total entropy.

E = log₂(R^L)

E = log₂(26⁹) = log₂(5429503678976)

E = 42.3 bits (approximate)

As the calculations indicate, the entropy for the password quadrants is 42.3 bits. However, suppose the password is qUa@47!tS, which is still nine characters long, but now contains all four character types. When the four character sets are added together, the R value becomes 94, while the L value remains the same.

R = 26 + 26 + 10 + 32 = 94 (possible characters)

L = 9 (total characters)

As before, you can plug the R and L values into the formula to determine the password's entropy.

E = log₂(R^L)

E = log₂(94⁹) = log₂(572994802228616704)

E = 58.99 bits (approximate)

The entropy, which is about 58.99 bits, is now much higher because the password contains all four character types. Instead of including all types, however, you can simplify the password, but make it longer. For example, the password long.quadrants uses only two character types, but is 14 characters long, giving us the following R and L value.

R = 26 + 32 = 58 (possible characters)

L = 14 (total characters)

Once again, you can insert the R and L values into the formula to arrive at the password's entropy.

E = log₂(R^L)

E = log₂(58¹⁴) = log₂(4875194084160300000000000)

E = 82.01 bits (approximate)

The password has an entropy of 82.01 bits, which is much better than the previous example, even though the password is a lot simpler and consequently easier to remember.

As the examples demonstrate, a longer password can achieve a higher entropy even if it is less complex than a shorter password. In the last example, the password long.quadrants includes two simple words and one period, but it has a much higher entropy than qUa@47!tS, which is more difficult to remember. The second password is also a lot harder to enter into a text box, especially on a device such as a smartphone.

Explore enterprise password security guidelines in a nutshell and see how to create and enforce a password policy across the enterprise. Check out passwordless authentication options and best practices and the differences between a password and a PIN.

This was last updated in October 2023

Continue Reading About password entropy

Are 14-character minimum-length passwords secure enough?

What is a password spraying attack and how does it work?

6 key identity and access management benefits

Cybersecurity employee training: How to build a solid plan

Security Think Tank: How to create good passwords and add security layers

Search Networking

What is open networking?
Open networking describes a network that uses open standards and commodity hardware.
What is Border Gateway Protocol (BGP)?
BGP (Border Gateway Protocol) is the protocol that enables the internet's global routing system.
What is multiplexing and how does it work?
Multiplexing, or 'muxing,' is a way of sending multiple signals or streams of information over a communications link at the same ...

Search Security

What is Pretty Good Privacy and how does it work?
Pretty Good Privacy, or PGP, was a popular program used to encrypt and decrypt email over the internet, as well as authenticate ...
What is cloud security?
Cloud security, or cloud computing security, is a set of policies, practices and controls deployed to protect cloud-based data, ...
What is corporate governance?
Corporate governance is the combination of rules, processes and laws by which businesses are operated, regulated and controlled.

Search CIO

What is a quantum logic gate?
A quantum logic gate is a basic quantum device that operates on a small number of quantum bits or qubits.
What is Lean management?
Lean management is an approach to managing an organization that supports the concept of continuous improvement, a long-term ...
What is a project charter? Definition and examples
A project charter is a formal short document stating that a project exists and providing project managers with written authority ...

Search HRSoftware

What is employee experience?
Employee experience is a worker's perception of the organization they work for during their tenure.
What are performance appraisals? A how-to guide for managers
A performance appraisal is the structured practice of regularly reviewing an employee's job performance.
What is gamification? How it works and how to use it
Gamification is a strategy that integrates entertaining and immersive gaming elements into nongame contexts to enhance engagement...

Search Customer Experience

What is quality of experience (QoE or QoX)?
Quality of experience (QoE or QoX) is a measure of the overall level of a customer's satisfaction and experience with a product ...
What is voice of the customer? A guide to VOC Strategy
Voice of the customer (VOC) is the component of customer experience (CX) that focuses on customer needs, wants, expectations and ...
What is high-touch customer service?
High-touch customer service is a category of contact center interaction that requires human interaction.

Close