We all need to be vigilant about creating mathematically impenetrable passwords. And if you’re one of the hundreds of thousands of people who use names and birth dates in their passwords(new window), then it’s definitely time to tighten up your login security.
In this article, we explain how to estimate and improve your password entropy, which is great for your online security. But there’s a tradeoff: Maximizing a password’s entropy essentially means making it impossible for you to remember. As always, there’s an XKCD cartoon(new window) that sums up the issue.
Given how many online services we all sign up for (dozens at least), it’s almost impossible for the average person to memorize a strong password for each one.
That’s why our recommendation is to use a password manager like Proton Pass, which can generate passwords with extremely high entropy. It will remember them and autofill them for you.
Below, we explain what password entropy means, how you can calculate it, and how it affects your password’s strength. It can help you select the most secure settings in your password manager (or avoid logins for services that require passwords with very low entropy).
What does “password entropy” mean?
Password entropy refers to how unpredictable your password or phrase is, measured in bits. Typically, the more bits of entropy there are, the more complex a password is and the tougher it is to break through brute force attacks.
Brute force attackers use trial-and-error to guess combinations of characters in login credentials, passwords, and encryption data.
For example, many hackers use complex scripts and machines to automate thousands of password guesses within a few minutes. In one of the most eye-opening cases, researchers processed up to 350 billion password guesses(new window) per second.
Attackers use brute force attacks to expose weak passwords quickly. By measuring and prioritizing the entropy of your passwords, you can help prevent this data from falling into the wrong hands.
How does password entropy affect password strength?
Several factors affect a password’s entropy and, in turn, its strength. You’ll need to consider your password’s:
- Length (in characters)
- Use of uppercase and lowercase letters
- Use of numeric characters
- Use of special symbols
Of all the elements listed here, password length(new window) is the most important. A long enough passphrase is sufficient to defeat any brute force attack. However, you’ll still improve its entropy using random uppercase letters, special symbols, and numerals.
Entropy and complexity aren’t the only password strength factors. Hackers can use dictionary attacks to guess your credentials if you use a recognizable word or common phrase in your password.
A dictionary attacker automates brute force guesses of every word in a dictionary that might be used within a password.
Therefore, regardless of your password’s entropy, you’re still at risk of hacking if you use pet names, sports teams, or other common passwords (for example, never use “password”) in your login details.
How to calculate password entropy
Password entropy is measured in bits and depends on two main factors:
- The number of characters available in the character range chosen for the password
- The number of characters in the password
Therefore, password entropy increases the longer your password is and the broader your possible character range is. A long password that uses capital letters, lowercase letters, symbols, and numbers, like HelpFidoSaveTony33!, will have very high entropy. A password that only uses lowercase letters or numbers, like crimson or 112233 will have very low entropy.
What are bits of entropy?
Bits of entropy measure how difficult a password is to crack. For example, a password already known to you has zero bits.
Using a formula, we can calculate how many entropy bits are in a password, and with them, how many guesses an attacker’s script or machine would need to gain access.
However, before we can calculate password entropy, we need to measure all the different possible character ranges.
Measuring character ranges
The following table demonstrates how your character options increase when you add different characters into your password if you write in English. The number of letters and symbols can vary depending on the language you use.
|Character Type||Example(s)||Range Size|
|Numerics||0, 1, 2, 3||10|
|Latin letters (lowercase)||a, b, c, d||26|
|Latin letters (uppercase)||A, B, C, D||26|
|Special symbols||!, @, %, $||32|
The more choice in potential characters you provide potential hackers, the higher your password entropy becomes. Therefore, prioritize as broad a character range as possible and use a mixture of all four types.
Here are a few example passwords and their total character ranges:
|Example||Total Character Range|
Remember, the above data shows you the potential size of character ranges, not bits of entropy. We need to use a specific formula to calculate the precise entropy of passwords in bits.
Password entropy formula
You can measure a password’s entropy in bits using the following formula:
E = L × log2(R)
In this formula:
- E is your password entropy
- R is the possible range of character types in your password (the tables show above)
- L is the number of characters in your password (its length)
- Log2 answers the question “to what power 2 must be raised to equal this number”
Using this formula, here’s how a few example passwords measure in bits:
|Example||Character Range||Password Length||Calculation||Bits of Entropy|
|Bankruptcies||52||12 chars.||E = 12 x 5.7||68.4|
|1Bankruptcies2||62||14 chars.||E = 14 x 5.95||83.3|
|1Bankruptcies2&%||94||16 chars.||E = 16 x 6.55||104.8|
The math shows us that the longer and more complex a password is, the more bits of entropy it has.
You can use a password entropy calculator online for faster results, but the above equations are reliable if you prefer to work out the math on your own.
Again, entropy is only one measure of strength. To avoid dictionary attacks, avoid commonly used passwords or phrases. You should also avoid using personal information, like your birth date, pet’s name, or street name for your password, as attackers can obtain this information.
When is a password considered strong?
Generally, a strong or high-entropy password scores at least 75 bits. Anything measuring fewer than 72 bits is reasonably easy for a machine to crack.
We calculate the maximum number of potential guesses using the calculation 2 ^ (number of bits). It’s how many times the number 2 doubles to reach the total number of bits.
For example, a password with 10 bits of entropy, using 2 ^ 10, would need a maximum of 1,024 guesses to break. That’s typically a three-character numerical password, such as 456.
Aim for an entropy of over 100 bits to create a strong password(new window), aiming as high as possible. The higher the entropy, the more time it will take for machines to brute force a correct password guess.
The rules for creating a high-entropy password differ wildly depending on the security expert you speak to, but there are a few general rules we can all agree on:
- Your password should be at least eight characters long and uses a mix of characters (not just lowercase letters in the basic Latin alphabet)
- You should avoid using any phrases or terms that are significant to you (and are therefore easy to guess)
- A strong password does not connect to its username (always treat the two as separate entities)
- There’s a mix of at least one lowercase letter, one uppercase letter, one number, and one special character (for example, %, ^, *, &, @, ~, etc.)
We also recommend using a password blocklist to help avoid using words or phrases popularly chosen across the web. For example, NIST’s Bad Passwords project(new window) is a popular open-source tool for creating high-entropy phrases.
If you’re looking to make a secure admin password for your password manager, consider the following guidelines
To recap, a truly secure password contains, for example:
- At least one uppercase letter
- At least one lowercase letters
- At least one special symbols
- At least one digit
- A passphrase of roughly 20 characters
The example from above, HelpFidoSaveTony33!, meets all these requirements and creates a password with roughly 117 bits of entropy, which is currently impossible to crack by brute force.
Generate strong passwords with Proton Pass
The only way to generate and remember enough strong passwords for all your online accounts is to use a password manager. Proton Pass generates secure phrases for you at a click. You can use it to create 10-word passphrases or 64-character random passwords, and it gives you control over whether each password uses numbers, uppercase letters, and special characters, in case you want to maximize your passwords’ entropy.
With Proton Pass, your passwords aren’t just hard to crack — they’re stored with end-to-end encryption and backed up by secure two-factor authentication through the world’s most secure free password manager. Read Proton Pass’s security model(new window) to learn more.
If password entropy leaves you scratching your head, register and sign up for Proton Pass. We’ll help you generate, store, and secure passwords to withstand malicious attacks.
A password’s complexity typically refers to its potential character range, while password entropy refers to the math behind how hard it is to guess. Entropy is measured in bits, which in turn tells you how many brute force guesses it will take to break a password.
It depends on the length of the words and the characters you use. The longer the password and the more different types of characters you choose, the higher the password entropy will be.
128 bits of entropy means your password is likely strong enough to withstand most brute force attacks from machines. Any password with an entropy higher than 78 bits is difficult for most machines to crack.