Password Entropy - How to Measure Real Strength
About 2 min read
Entropy is a measure of uncertainty in information theory, and in the context of passwords it is an indicator that expresses how hard a password is to predict, measured in bits. The higher the entropy value, the harder the password is to guess. The entropy of a password is calculated from the number of character types and the password length used, allowing you to quantitatively evaluate its resistance to brute-force attacks.
Calculation Method and Concrete Numerical Examples
The entropy of a password is calculated as "log2(number of character types) x length." The following shows the entropy of representative configurations.
- Lowercase letters only (26 types) x 8 characters = about 37.6 bits (crackable in seconds)
- Upper- and lowercase letters + digits (62 types) x 10 characters = about 59.5 bits (the minimum line for general use)
- Upper- and lowercase letters + digits + symbols (95 types) x 12 characters = about 78.8 bits (recommended level)
- Upper- and lowercase letters + digits + symbols (95 types) x 16 characters = about 105 bits (high security)
- Upper- and lowercase letters + digits + symbols (95 types) x 20 characters = about 131 bits (practically impossible to crack)
The strength meter on passtsuku.com displays password strength in real time based on this calculation. To increase entropy, increasing the length is the most effective approach. Increasing the length contributes more to entropy than increasing the number of character types.
The concepts of information theory and entropy can be learned from the basics with information theory and entropy books on Amazon.
Real-World Use Cases
"In reviewing our password policy, we raised the minimum entropy from 60 bits to 80 bits. We set the minimum length to 12 characters and also prohibited concatenating dictionary words."
Practical Application and Pitfalls
Entropy is a theoretical indicator of password strength, but there are points to watch out for in practice. The entropy calculation assumes "completely random generation," and passwords devised by humans are weak against dictionary attacks and pattern analysis, so their practical strength is lower than the calculated entropy. For example, "P@ssw0rd123!" has a rich variety of character types and appears to have high calculated entropy, but because it is a well-known pattern, it is broken instantly by a dictionary attack. For general web services, entropy of 60 bits or more is recommended, and for financial services and important accounts, 80 bits or more is recommended. At 120 bits or more, it is practically impossible to crack with current computer technology. Considering GPU performance as of 2025, passwords with entropy below 60 bits risk being cracked within a few hours, so aiming for 80 bits or more is recommended. By using a cryptographically secure random number generator, you can generate truly random passwords whose calculated entropy matches their practical strength.cryptanalysis and math books (Amazon) are also helpful for understanding the theoretical background.
Was this article helpful?