What Is Password Entropy?
Entropy measures the randomness (unpredictability) of a password, expressed in bits. Each bit doubles the number of possible combinations. A password with 40 bits of entropy has 2⁴⁰ (about 1 trillion) possible combinations.
How Entropy Is Calculated
The formula is: Entropy = Length × log₂(Character Pool Size). A 10-character password using lowercase only (26 chars) has 10 × log₂(26) ≈ 47 bits. Using all character types (95 chars) jumps to 10 × log₂(95) ≈ 65.7 bits.
Entropy Benchmarks
- Below 28 bits: Very weak — cracked in seconds
- 28-35 bits: Weak — cracked in minutes to hours
- 36-59 bits: Moderate — cracked in days to months
- 60-79 bits: Strong — cracked in years to decades
- 80+ bits: Excellent — effectively uncrackable with current tech
Why Length Beats Complexity
Adding 4 characters to a password increases entropy more than switching from lowercase-only to all character types. "correcthorsebatterystaple" (100+ bits) crushes "P@55w0rD" (52 bits) because length dominates the entropy equation.
Frequently Asked Questions
Does adding a symbol really help?
Slightly. It expands the character pool from 62 to 95 characters. But adding 2 extra lowercase letters achieves the same entropy increase.
What entropy do password managers generate?
Most generate 128+ bit passwords (20+ random characters), which are effectively uncrackable.