What Is Password Entropy?
Table of Contents
- By Bryan Lee
- Published: Oct 27, 2023
- Last Updated: Nov 10, 2023
These days, password security theory is strongly tied to mathematics. Even ordinary computers are getting exponentially more powerful every few years, and this growth is empowering hackers as a result.
One of the goals of any good password is to have high resistance to brute force attacks. Achieving the necessary strength to remain safe requires users to create increasingly long and complex passwords. No more using a beloved pet's name or a partner's birthday as a password. We're talking about alien combinations like "NDb88I08233c!' \Z.~BbD-b" or "-BF82h_p=G5't #V\2^sA_:+xg04Xr."
This shift is meeting understandable resistance since people don't want to memorize or even type in these passwords. However, we invite you to check your preferred passwords' entropy and see just how easy your passwords are to break.
After that, we'll see if you want to keep using the easy hacked password: goodboy21.
Password Entropy Definition
Password entropy measures the randomness and uniqueness of a password. In other words, it represents a password's strength in a unit called bits. The stronger a password is, the more bits of entropy it has.
Every bit adds a compounding number of combinations that eventually overwhelms even the most potent computer's processing power. If a password's entropy is strong enough, the hacker must use something other than brute force, which isn't worth the effort for most attackers.
Brute Force Attacks
The brute force method works exactly how its name sounds. The attacker repeatedly attempts every possible password combination, whether by random or some predetermined sequencing.
This is an impossible task for a human. Just think about how long it would take to guess every combination of a five-pin bike lock. You'd be sitting there for days or arrested before getting the right one.
However, a computer can run through hundreds of thousands of combinations per second. Hackers create code that continuously guesses passwords by changing a single character each attempt. The attempts would look like the following:
- Guess 1: aaa
- Guess 2: baa
- Guess 3: caa
Once the program goes through every character in the alphabet, it will repeat the process for the second and third characters. After that, it would try changing two or three characters simultaneously. Even in the above example, which only uses lowercase letters, there are over 17,000 possible combinations.
This may seem like a lot, but it would take a modern computer less than a second to get the answer.
So, the question is, how many bits of entropy is enough?
How Many Bits of Entropy Should My Password Have?
Depending on the technology, a modern computer can check a range of 10,000 to 1,000,000,000 combinations a second. So, we recommend only using passwords with a minimum of 78 bits of entropy.
Even that may be a low estimate if you're at high risk of attack.
Generally, 78 bits of entropy will discourage hackers from targeting your accounts. There are easier targets out there; they can't afford to waste their efforts on your iron-clad password.
Password entropy categorizes passwords into four types depending on their strength. These are: very weak, weak, strong, and very strong. Most people are familiar with the judgmental red "strength meter" that appears when trying to create an overly simple password.
What Are the Risks of a Low Password Entropy?
"What's the big deal if my password is guessed," is a question I've heard more than once. The average user has over 100 active accounts, most of which were created quickly and then forgotten.
The problem is that people don't put much effort into securing accounts they never plan to use again. This is particularly true if they aren't giving the service important information like credit card numbers or personally identifiable information.
We can follow this thought process. However, a recent Google poll revealed that 13 percent of Americans use the same password for every account, and 52 percent reuse the same password for some.
If a hacker guesses one of your passwords with low entropy, they can use the minuscule information they steal to extend the attack to your other accounts. Eventually, they might reach an account that stores your personal information, steal your identity, or commit financial fraud.
Calculating Password Entropy
- The formula to determine password entropy is E = Log₂(R^L). The breakdown of each variable is as follows:
- E refers to your password's bits of entropy
- R refers to the number of possible characters in your password
- 26 lowercase letters
- 26 uppercase letters
- 10 digits (0-9)
- 32 special characters on standard "qwerty" keyboards
- L refers to the number of characters (length) in your password
To get the number of possible combinations of your password, the formula is 2^E.
Unfortunately, this formula uses an upper-level mathematical term that most adults have either forgotten or never learned to begin with. The good news is that a straightforward and easy-to-use password entropy calculator is available online.
In 2023, the top six most commonly used passwords and the corresponding bits of entropy are:
- 123456 – 20 bits
- password – 38 bits
- 123456789 - 30 bits
- 12345 – 17 bits
- 12345678 – 27 bits
- qwerty – 28 bits
These are clearly weak passwords, but most people have used them more than once. Few people choose these types of passwords for their main accounts, but at times they just want to speed through the account creation process.
Even without a brute force code, these passwords are easy to guess. However, part of what makes them so vulnerable is that they only use one of the four-character types. Let's see how their bits of entropy change just by introducing a new character type without even changing their length.
Old Password |
New Password |
Bits of Entropy Increase |
123456 |
12345b |
+11 |
password |
Password |
+8 |
123456789 |
O2345678 |
+17 |
12345 |
123T5 |
+9 |
12345678 |
123456Y8 |
+14 |
qwerty |
Qwerty |
+6 |
Remember that every bit increase doubles the number of possible combinations from the previous result. While these new passwords still aren't up to snuff, this should show the power that just a slight variation will have on your online security.
The Limitation of Password Entropy Measurements
Now that you've seen the power of a single character type let's discuss the weaknesses of password entropy.
Password entropy's fundamental weakness is that it doesn't consider the attacker's psychology. Or rather, it doesn't consider the many tricks a seasoned attacker might use. Hackers can find the "World's Most Common Passwords" just like I did. It took about three seconds.
They can change their brute force code to guess all of the passwords on this list immediately, and also try variations of the passwords on the list. For example:
- password – 28 bits
- p@ssword – 35 bits
- passw0rd – 31 bits
It's a widespread habit for users to substitute one of the letters in a word with a similar-looking symbol or number. The same is true vice versa.
Password entropy's weakness is that it can fool people into believing that "p@ssword" is exponentially more secure than "password" because of how the calculation works. In reality, one will likely be attempted right after the other.
The lesson here is not to take shortcuts. Don't read this article and believe it's enough to make a tiny change to your passwords and have it be enough.
Create Long, Strong Passwords for Increased Safety
The short answer to password entropy is to make your password more than eight characters long and contain uppercase, lowercase, numbers, and special characters. That's all it takes to make yourself nearly impervious to brute-force attacks.
However, studies show that over 60 percent of Americans don't follow all or any of these rules for understandable reasons. Complex passwords are accordingly challenging to remember, and users have gotten used to account creation processes that take a minute at most.
We don't expect people to remember 20-character-long passwords or even take the time to make them personally. Password managers are excellent ways to expedite the process and even have your login credentials filled in for you when logging in.
If you don't want to download a dedicated password manager, strong password generators are also online. Whatever the case, we hope this article helped you understand the importance of a strong password when safeguarding your personal data.