We all need to be vigilant about creating mathematically impenetrable passwords. And if you’re one of the hundreds of thousands of people who use names and birth dates in their passwords(nieuw venster), then it’s definitely time to tighten up your login security.
In this article, we explain how to estimate and improve your password entropy, which is great for your online security. But there’s a tradeoff: Maximizing a password’s entropy essentially means making it impossible for you to remember. As always, there’s an XKCD cartoon(nieuw venster) that sums up the issue.
Given how many online services we all sign up for (dozens at least), it’s almost impossible for the average person to memorize a strong password for each one.
That’s why our recommendation is to use a password manager like Proton Pass, which can generate passwords with extremely high entropy. It will remember them and autofill them for you.
Below, we explain what password entropy means, how you can calculate it, and how it affects your password’s strength. It can help you select the most secure settings in your password manager (or avoid logins for services that require passwords with very low entropy).
What does “password entropy” mean?
Password entropy refers to how unpredictable your password or phrase is, measured in bits. Typically, the more bits of entropy there are, the more complex a password is and the tougher it is to break through brute force attacks.
Brute force attackers use trial-and-error to guess combinations of characters in login credentials, passwords, and encryption data.
For example, many hackers use complex scripts and machines to automate thousands of password guesses within a few minutes. In one of the most eye-opening cases, researchers processed up to 350 billion password guesses(nieuw venster) per second.
Attackers use brute force attacks to expose weak passwords quickly. By measuring and prioritizing the entropy of your passwords, you can help prevent this data from falling into the wrong hands.
How does password entropy affect password strength?
Several factors affect a password’s entropy and, in turn, its strength. You’ll need to consider your password’s:
- Length (in characters)
- Use of uppercase and lowercase letters
- Use of numeric characters
- Use of special symbols
Of all the elements listed here, password length is the most important. A long enough passphrase will defeat almost any brute force attack. And you can increase entropy further by using random uppercase letters, special symbols, and numerals.
However, entropy is not just about how long or complex your password looks. It can also depend on how it was created. A truly random string has much higher entropy than a common word or phrase, even if both are the same length.
Hackers can use dictionary attacks to guess your credentials if you use a recognizable word or common phrase in your password.
A dictionary attacker automates brute force guesses of every word in a dictionary that might be used within a password.
Therefore, regardless of your password’s entropy, you’re still at risk of hacking if you use pet names, sports teams, or other common passwords (for example, never use “password”) in your login details.
How to calculate password entropy
We explain how to calculate password entropy, but it’s important to note that this is simply a demonstration. You cannot safely estimate a password’s entropy based on how it looks. Human-generated passwords — even long ones — are often highly predictable. Unless it was created with a random generator, you should assume the entropy is lower than you think.
Assuming you use a random string of characters, password entropy is measured in bits and depends on two main factors:
- The number of characters available in the character range chosen for the password
- The number of characters in the password
Therefore, password entropy increases the longer your password is and the broader your possible character range is. A long password that uses capital letters, lowercase letters, symbols, and numbers, like kmXz2=zs[m%7?y4A, will have very high entropy.
A password that only uses lowercase letters or numbers, like dzormybs or 119022833 will have very low entropy.
Passphrases are easier to remember, but you must be careful. They must be longer to create similar levels of entropy. For example, a passphrase like HelpFidoSaveChocolate33! looks complex, but because it uses four common English words and a predictable number-symbol combination at the end, its true entropy may be closer to 50 bits. This is far less than the entropy of kmXz2=zs[m%7?y4A, even though it is eight characters shorter.
What are bits of entropy?
Bits of entropy measure how difficult a password is to crack. For example, a password already known to you has zero bits.
Using a formula, we can calculate how many entropy bits are in a password, and with them, how many guesses an attacker’s script or machine would need to gain access.
However, before we can calculate password entropy, we need to measure all the different possible character ranges.
Measuring character ranges
The following table demonstrates how your character options increase when you add different characters into your password if you write in English. The number of letters and symbols can vary depending on the language you use.
| Character Type | Example(s) | Range Size |
| Numerics | 0, 1, 2, 3 | 10 |
| Latin letters (lowercase) | a, b, c, d | 26 |
| Latin letters (uppercase) | A, B, C, D | 26 |
| Special symbols | !, @, %, $ | 32 |
The more choice in potential characters you provide potential hackers, the higher your password entropy becomes. Therefore, prioritize as broad a character range as possible and use a mixture of all four types.
Here are a few example passwords and their total character ranges:
| Example | Total Character Range |
| 112233 | 10 |
| abcde | 26 |
| a1b2c3d4 | 36 |
| a1B2c3D4 | 62 |
| a1!B2%c3^D4 | 94 |
Remember, the above data shows you the potential size of character ranges, not bits of entropy. We need to use a specific formula to calculate the precise entropy of passwords in bits.
Password entropy formula
You can measure a password’s entropy in bits using the following formula:
E = L × log2(R)
In this formula:
- E is your password entropy
- R is the possible range of character types in your password (the tables show above)
- L is the number of characters in your password (its length)
- Log2 answers the question “to what power 2 must be raised to equal this number”
Using this formula, here’s how a few example passwords measure in bits:
| Example | Character Range | Password Length | Calculation | Bits of Entropy |
| fygwcbjnhsbh | 26 | 12 chars. | E = 12 x 4.7 | 56.4 |
| HzgNhHkY1WQ8AM | 62 | 14 chars. | E = 14 x 5.95 | 83.3 |
| kmXz2=zs[m%7?y4A | 94 | 16 chars. | E = 16 x 6.55 | 104.8 |
The math shows us that the longer and more complex a password is, the more bits of entropy it has.
Remember, these calculations only apply to randomly generated passwords. Passphrases that use common words must be longer and use uncommon, unrelated words (and ideally numbers and symbols) to generate a similar level of security.
And remember, these calculations are more for demonstration than practical use. You should rely on password generators rather than trying to calculate how strong a password is yourself
You can use our free password generator to experiment and see how strong different passwords are.
Again, entropy is only one measure of strength. To avoid dictionary attacks, avoid commonly used passwords or phrases. You should also avoid using personal information, like your birth date, pet’s name, or street name for your password, as attackers can obtain this information.
When is a password considered strong?
Generally, a strong or high-entropy password scores at least 75 bits. Anything with less than 72 bits is reasonably easy for a machine to crack.
We calculate the maximum number of potential guesses using the calculation 2 ^ (number of bits). It’s how many times the number 2 doubles to reach the total number of bits.
For example, a password with 10 bits of entropy, using 2 ^ 10, would need a maximum of 1,024 guesses to break. That’s typically a three-character numerical password, such as 456.
Aim for an entropy of over 100 bits to create a strong password, aiming as high as possible. The higher the entropy, the more time it will take for machines to brute force a correct password guess.
The rules for creating a high-entropy password differ wildly depending on the security expert you speak to, but there are a few general rules we can all agree on:
- Your password should be at least 14 characters long and uses a mix of characters (not just lowercase letters in the basic Latin alphabet)
- You should avoid using any phrases or terms that are significant to you (and are therefore easy to guess)
- A strong password does not connect to its username (always treat the two as separate entities)
- There’s a mix of at least one lowercase letter, one uppercase letter, one number, and one special character (for example, %, ^, *, &, @, ~, etc.)
We also recommend using a password blocklist to help avoid using words or phrases popularly chosen across the web. For example, NIST’s Bad Passwords project(nieuw venster) is a popular open-source tool for creating high-entropy phrases.
If you’re looking to make a secure admin password for your password manager, consider the following guidelines
To recap, a truly secure password contains, for example:
- At least one uppercase letter
- At least one lowercase letters
- At least one special symbols
- At least one digit
- At least 14 characters (or at least 30 for passphrases, assuming the words are uncommon and unrelated)
The example from above, kmXz2=zs[m%7?y4A, meets all these requirements and creates a password with roughly 105 bits of entropy, which would take an impossibly long time to crack by brute force.
Generate strong passwords with Proton Pass
The only way to generate and remember enough strong passwords for all your online accounts is to use a password manager. Proton Pass generates secure phrases for you at a click. You can use it to create 10-word passphrases or 64-character random passwords, and it gives you control over whether each password uses numbers, uppercase letters, and special characters, in case you want to maximize your passwords’ entropy.
With Proton Pass, your passwords aren’t just hard to crack — they’re stored with end-to-end encryption and backed up by secure two-factor authentication through the world’s most secure free password manager. Read Proton Pass’s security model to learn more.
If password entropy leaves you scratching your head, register and sign up for Proton Pass. We’ll help you generate, store, and secure passwords to withstand malicious attacks.
Update November 18, 2025: This article was updated to more clearly explain the issues with trying to calculate the entropy of passphrases and passwords in general. The complexity of passwords is easy to overestimate unless it is truly randomly generated.
FAQ
A password’s complexity typically refers to its potential character range, while password entropy refers to the math behind how hard it is to guess. Entropy is measured in bits, which in turn tells you how many brute force guesses it will take to break a password.
It depends on how the words were selected. If they were chosen randomly (for example, using a Diceware list), each word adds about 12–13 bits of entropy. So a four-word random passphrase would have about 50–52 bits of entropy. But if the words were chosen by a human, the entropy may be much lower.
128 bits of entropy means your password would require 2¹²⁸ guesses to brute force — that’s more than the number of atoms in the universe. For practical purposes, anything over 100 bits is secure. Even passwords with 75–80 bits are considered resistant to all known brute-force attacks today.
