Password entropy: Definition and formula

Password entropy is the measure of password strength — how effective the password is against hackers. The more complex and unpredictable your password is, the more difficult it is for an attacker to guess or crack it.

The best way to protect your account is to use a long and intricate password that takes ages to crack. The number of attempts an attacker would need to guess your password is a good measure of password strength, and this measure is known as password entropy.

Password entropy is important because it measures password randomness and unpredictability — the greater the entropy, the more effective the password is against all types of password attacks.

One of the most common types of targeted cyberattack is a brute force attack in which cybercriminals try all possible character combinations to discover your password. Sometimes they use dictionaries of common passwords (like “qwerty” or “123456”) to break into password-protected computers, accounts, and networks — this strategy is better known as a dictionary attack.

If you use short, low entropy passwords, hackers can use them in credential stuffing attacks, especially if you reuse them for multiple accounts. In these attacks, criminals use previously stolen password-username pairs to gain unauthorized access to accounts and digital systems. Sometimes hackers leak these lists of compromised passwords on the Dark Web. You can use specialized tools like NordVPN’s Dark Web Monitor to make sure your credentials have not been exposed online and to get informed if they are in danger.

High entropy passwords are much less susceptible to hacking attempts involving other password-cracking techniques, such as a rainbow table. In rainbow table attacks, criminals use precomputed tables to crack password hashes. High entropy passwords are less likely to appear in these tables, making it more difficult for hackers to determine the original password from its hash. But how do you know if your password’s entropy is high?

You can calculate password entropy using the E = log2 (RL) formula. This formula tells you how many guesses a hacker would have to make to crack your password by trying all possible combinations of symbols. The meaning of the elements in the formula is as follows:

• E stands for password entropy, measured in bits.
• Log2 is a mathematical formula that converts the total number of possible character combinations to bits.
• R stands for the range of characters.
• L stands for the number of characters in a password.

Passwords that contain only eight or less letters of the same case are too weak to protect your accounts because there are only thousands of character combinations that hackers can check relatively quickly to break into your account. Typically, weak passwords have only up to 60 bits of entropy. Incorporating numbers and special symbols increases the number of possible password combinations and, subsequently, the password’s entropy.

If a password’s entropy is at least 64 bits high, there are approximately 2^64 (18 quintillion) possible password combinations that a hacker would have to go through in order to enter your password-protected account. For example, a 64-bit password would be at least six characters long, would include upper- and lower-case letters, numbers, and special symbols. Checking all possible combinations would take up enormous amounts of time, which makes the password strong enough to withstand cyber attacks.

To create a high-entropy password, use at least six characters, including lower-case and higher-case letters, numbers, and special symbols. Don’t use dictionary words like “password” or popular phrases like “admin_password,” not even variations such as “passw0rd” or “p@ssword.” Avoid using sequential letters and numbers like “123456” and “asdfgh.” And never incorporate personal details into a password because attackers can gather that information from your social media or public records.

Of course, coming up with long and complex passwords — let alone remembering and renewing them regularly — might prove difficult, but that’s where a secure password manager comes in handy. It stores all your digital credentials and fills them out automatically when logging in to your accounts.

Passwords should have at least 60 bits of entropy to be strong enough to protect your accounts. Depending on the bits of entropy, passwords are classified into four categories ranging from very weak to very strong:

The more bits of entropy a password has, the less crackable it is. Passwords of less than 35 bits are weak and would be powerless against sophisticated attacks, while passwords of 36 to 59 bits are moderately strong at best. It’s helpful to aim for at least 60 bits and over to achieve a reasonable level of security.

Typically, 64-bit passwords are strong enough to protect sensitive accounts and will not succumb to a brute force attack. However, if you want to take your account security to the next level, go for an uncrackable 128+ bit password, which requires an enormously large number of guesses to crack and astronomical amounts of computing power and cracking time.

A longer password — of at least eight characters — that contains uppercase letters, lowercase letters, numbers, and special characters is a high-entropy password and is practically impossible to guess or crack. If your password entropy is at the lower end of the spectrum (less than 64 bits), you should develop a more complex password by following our tips on strong passwords.

However, never rely solely on password entropy. Several passwords can be of the same length and complexity, with one much stronger than the rest. This discrepancy occurs when cybercriminals leak lists of cracked passwords online to be used in targeted cyberattacks. These leaked passwords, even if complex, are already compromised and weak, so you should never use them. You can use an online password leak checking tool to see if your credentials have not been compromised and take action if they have — create new, stronger passwords.