SnapTools

Password entropy: measuring real strength in bits

Entropy turns 'is this a strong password?' from a gut feeling into a number. Here's the formula, worked examples, and why a long passphrase beats a short cryptic mess.

By Muhammad Tahir6 min readsecurityexplainer

Most advice about strong passwords is vague: "use a mix of characters," "make it complex," "add a symbol." None of it tells you how strong the result actually is. Entropy does. It's the one number that lets you compare two completely different passwords on the same scale and say, with confidence, which is harder to crack — and usually the answer surprises people.

What entropy actually measures

In information theory, entropy is a measure of uncertainty, expressed in bits. Applied to passwords, it answers one specific question: from an attacker's point of view, how many guesses would it take to find this password by brute force?

Each bit of entropy doubles the number of possible passwords. That exponential relationship is the whole story:

  • 1 bit = 2 possibilities
  • 10 bits = 1,024 possibilities
  • 20 bits = about 1 million
  • 40 bits = about 1 trillion
  • 60 bits = about 1 quintillion (10^18)

So a password with 60 bits of entropy isn't "three times stronger" than one with 20 bits. It's roughly a trillion times harder to guess. This is why small differences in the number matter enormously.

A crucial caveat up front: entropy measures the strength of the process that generated the password, assuming each choice was random. It describes "a 16-character password drawn randomly from this alphabet," not "this specific string I came up with in my head." If you chose the characters yourself, the real entropy is far lower than the formula suggests, because human choices aren't random. We'll come back to that.

The formula

For a password where each character is chosen independently and uniformly at random from a pool of N possible symbols, with a length of L characters:

entropy (bits) = L × log2(N)

log2(N) is the number of bits contributed by a single character — how much uncertainty one random pick adds. Multiply by the length and you have the total. The common pool sizes:

  • digits only (0-9): N = 10, about 3.32 bits per character
  • lowercase letters: N = 26, about 4.70 bits per character
  • lowercase + uppercase: N = 52, about 5.70 bits per character
  • letters + digits: N = 62, about 5.95 bits per character
  • letters + digits + ~32 symbols: N = 94, about 6.55 bits per character

Notice how slowly the per-character value grows. Going from 10 symbols to 94 — nearly ten times the alphabet — only roughly doubles the bits per character, from 3.32 to 6.55. That's because the alphabet sits inside a logarithm. Length, by contrast, multiplies linearly. Hold that thought.

Worked example: complex vs. long

Here's the comparison that changes how people think about passwords. Take two candidates.

Password A — short and cryptic: T7#kq! — 6 characters from the full 94-symbol pool.

entropy = 6 × log2(94) = 6 × 6.55 = ~39 bits

About 39 bits. This is the kind of password that looks strong, the kind a website's strength meter often rewards with a green bar.

Password B — a four-word passphrase: correct-horse-battery-staple — four words chosen randomly from a 7,776-word list (the standard Diceware list).

Here the "symbols" aren't characters, they're whole words. The pool is 7,776 and the length is 4 words:

log2(7776) = ~12.9 bits per word
entropy = 4 × 12.9 = ~51.6 bits

About 52 bits — and you can read it, type it, and remember it. The passphrase is roughly 2^13, or 8,000 times harder to brute-force than the cryptic six-character string, despite looking far less "secure" to a human eye. Add a fifth word and you're at about 65 bits, which is comfortably beyond reach of any brute-force attack.

Why length beats complexity

Look again at the formula. Entropy is L × log2(N). Complexity grows the log2(N) term; length grows L. Because N is trapped inside a logarithm, throwing more character types at the problem yields diminishing returns, while adding length scales the whole thing linearly.

Concretely: one extra symbol type might lift you from 5.95 to 6.55 bits per character — a 10% gain. One extra character adds a full 5.95 or 6.55 bits — and every character after it does too. A 20-character lowercase-only password (20 × 4.70 = 94 bits) crushes a 10-character all-symbols password (10 × 6.55 = 65.5 bits), even though the second one is the one that looks "harder." Length is the cheapest, most powerful lever you have. This is the entire argument for passphrases.

Turning bits into time-to-crack

Entropy becomes tangible when you convert it to time. If a password has E bits of entropy, brute-forcing it takes up to 2^E guesses, and on average half that. Divide by an attacker's guess rate.

Guess rates vary enormously by what's being attacked:

  • An online login behind rate limiting: maybe thousands of guesses per second at most, often far fewer.
  • Offline cracking of a stolen hash with fast hashing (e.g. unsalted SHA-256 on GPUs): tens of billions, even trillions, of guesses per second.

Take the pessimistic offline case at 10^12 (one trillion) guesses per second:

  • 39-bit password A: 2^39 ≈ 5.5 × 10^11 guesses → cracked in well under a second.
  • 52-bit passphrase B: 2^52 ≈ 4.5 × 10^15 guesses → about 75 minutes on average. Borderline.
  • 65-bit five-word passphrase: 2^65 ≈ 3.7 × 10^19 → roughly a year, and that's against an attacker burning serious hardware on one target.
  • 80+ bits: practically uncrackable by brute force for the foreseeable future.

This is why 80 bits is a common target for important secrets, and why anything under ~40 bits should be considered disposable. A Password Strength Checker does this math for you, estimating entropy and translating it into a realistic crack time so you don't have to run the logs by hand.

The attack that ignores entropy: dictionaries

There's a catch that brute-force math alone misses, and it's where most real passwords actually die. Attackers don't start by trying aaaa, aaab, aaac. They start with what people actually pick: leaked password lists (millions of real passwords from past breaches), dictionary words, names, dates, keyboard patterns like qwerty, and predictable substitutions like P@ssw0rd.

This is why the entropy formula's assumption — random, independent choices — is everything. Tr0ub4dor&3 looks like it has ~70 bits by raw character count. But if a human chose it from a dictionary word with predictable leetspeak swaps, an attacker's smart dictionary attack reaches it in a tiny fraction of those guesses. Its effective entropy might be 20-something bits. The formula was never lying; the input just wasn't random.

The defense follows directly:

  • Let a machine generate the randomness. Human-chosen passwords leak entropy to dictionary attacks. A generator drawing from a cryptographic RNG actually delivers the bits the formula promises.
  • Prefer length over cleverness. A randomly chosen multi-word passphrase from a Passphrase Generator gives you high entropy and memorability — and because the words are picked randomly, the dictionary attack gains nothing. It still has to brute-force the full word space.

The one number to remember

Strip away the meters and color bars and it comes down to this: a strong password is one with enough entropy, generated randomly enough that the entropy is real. Aim for 80 bits where it matters. Reach it with length, not punctuation. And let a tool, not your imagination, supply the randomness — because the moment a human picks the characters, the bits start quietly leaking away.