What Is Password Entropy?

  • By Bryan Lee
  • Published: Oct 27, 2023
  • Last Updated: Nov 10, 2023

Password Entropy

These days, password security theory is strongly tied to mathematics. Even ordinary computers are getting exponentially more powerful every few years, and this growth is empowering hackers as a result.

One of the goals of any good password is to have high resistance to brute force attacks. Achieving the necessary strength to remain safe requires users to create increasingly long and complex passwords. No more using a beloved pet's name or a partner's birthday as a password. We're talking about alien combinations like "NDb88I08233c!' \Z.~BbD-b" or "-BF82h_p=G5't #V\2^sA_:+xg04Xr."

This shift is meeting understandable resistance since people don't want to memorize or even type in these passwords. However, we invite you to check your preferred passwords' entropy and see just how easy your passwords are to break.

After that, we'll see if you want to keep using the easy hacked password: goodboy21.

Password Entropy Definition

Password entropy measures the randomness and uniqueness of a password. In other words, it represents a password's strength in a unit called bits. The stronger a password is, the more bits of entropy it has.

Every bit adds a compounding number of combinations that eventually overwhelms even the most potent computer's processing power. If a password's entropy is strong enough, the hacker must use something other than brute force, which isn't worth the effort for most attackers.

Brute Force Attacks

The brute force method works exactly how its name sounds. The attacker repeatedly attempts every possible password combination, whether by random or some predetermined sequencing.

This is an impossible task for a human. Just think about how long it would take to guess every combination of a five-pin bike lock. You'd be sitting there for days or arrested before getting the right one.

However, a computer can run through hundreds of thousands of combinations per second. Hackers create code that continuously guesses passwords by changing a single character each attempt. The attempts would look like the following:

  • Guess 1: aaa
  • Guess 2: baa
  • Guess 3: caa

Once the program goes through every character in the alphabet, it will repeat the process for the second and third characters. After that, it would try changing two or three characters simultaneously. Even in the above example, which only uses lowercase letters, there are over 17,000 possible combinations.

This may seem like a lot, but it would take a modern computer less than a second to get the answer.

So, the question is, how many bits of entropy is enough?

How Many Bits of Entropy Should My Password Have?

Depending on the technology, a modern computer can check a range of 10,000 to 1,000,000,000 combinations a second. So, we recommend only using passwords with a minimum of 78 bits of entropy.

Even that may be a low estimate if you're at high risk of attack.

Generally, 78 bits of entropy will discourage hackers from targeting your accounts. There are easier targets out there; they can't afford to waste their efforts on your iron-clad password.

Password entropy categorizes passwords into four types depending on their strength. These are: very weak, weak, strong, and very strong. Most people are familiar with the judgmental red "strength meter" that appears when trying to create an overly simple password.

What Are the Risks of a Low Password Entropy?

"What's the big deal if my password is guessed," is a question I've heard more than once. The average user has over 100 active accounts, most of which were created quickly and then forgotten.

The problem is that people don't put much effort into securing accounts they never plan to use again. This is particularly true if they aren't giving the service important information like credit card numbers or personally identifiable information.

We can follow this thought process. However, a recent Google poll revealed that 13 percent of Americans use the same password for every account, and 52 percent reuse the same password for some.

If a hacker guesses one of your passwords with low entropy, they can use the minuscule information they steal to extend the attack to your other accounts. Eventually, they might reach an account that stores your personal information, steal your identity, or commit financial fraud.

Calculating Password Entropy

  • The formula to determine password entropy is E = Log₂(R^L). The breakdown of each variable is as follows:
  • E refers to your password's bits of entropy
  • R refers to the number of possible characters in your password
    • 26 lowercase letters
    • 26 uppercase letters
    • 10 digits (0-9)
  • 32 special characters on standard "qwerty" keyboards
  • L refers to the number of characters (length) in your password

To get the number of possible combinations of your password, the formula is 2^E.

Unfortunately, this formula uses an upper-level mathematical term that most adults have either forgotten or never learned to begin with. The good news is that a straightforward and easy-to-use password entropy calculator is available online.

In 2023, the top six most commonly used passwords and the corresponding bits of entropy are:

  1. 123456 – 20 bits
  2. password – 38 bits
  3. 123456789 - 30 bits
  4. 12345 – 17 bits
  5. 12345678 – 27 bits
  6. qwerty – 28 bits

These are clearly weak passwords, but most people have used them more than once. Few people choose these types of passwords for their main accounts, but at times they just want to speed through the account creation process.

Even without a brute force code, these passwords are easy to guess. However, part of what makes them so vulnerable is that they only use one of the four-character types. Let's see how their bits of entropy change just by introducing a new character type without even changing their length.

Old Password

New Password

Bits of Entropy Increase

123456

12345b

+11

password

Password

+8

123456789

O2345678

+17

12345

123T5

+9

12345678

123456Y8

+14

qwerty

Qwerty

+6

Remember that every bit increase doubles the number of possible combinations from the previous result. While these new passwords still aren't up to snuff, this should show the power that just a slight variation will have on your online security.

The Limitation of Password Entropy Measurements

Now that you've seen the power of a single character type let's discuss the weaknesses of password entropy.

Password entropy's fundamental weakness is that it doesn't consider the attacker's psychology. Or rather, it doesn't consider the many tricks a seasoned attacker might use. Hackers can find the "World's Most Common Passwords" just like I did. It took about three seconds.

They can change their brute force code to guess all of the passwords on this list immediately, and also try variations of the passwords on the list. For example:

  • password – 28 bits
  • p@ssword – 35 bits
  • passw0rd – 31 bits

It's a widespread habit for users to substitute one of the letters in a word with a similar-looking symbol or number. The same is true vice versa.

Password entropy's weakness is that it can fool people into believing that "p@ssword" is exponentially more secure than "password" because of how the calculation works. In reality, one will likely be attempted right after the other.

The lesson here is not to take shortcuts. Don't read this article and believe it's enough to make a tiny change to your passwords and have it be enough.

Create Long, Strong Passwords for Increased Safety

Strong Passwords for Increased Safety

The short answer to password entropy is to make your password more than eight characters long and contain uppercase, lowercase, numbers, and special characters. That's all it takes to make yourself nearly impervious to brute-force attacks.

However, studies show that over 60 percent of Americans don't follow all or any of these rules for understandable reasons. Complex passwords are accordingly challenging to remember, and users have gotten used to account creation processes that take a minute at most.

We don't expect people to remember 20-character-long passwords or even take the time to make them personally. Password managers are excellent ways to expedite the process and even have your login credentials filled in for you when logging in.

If you don't want to download a dedicated password manager, strong password generators are also online. Whatever the case, we hope this article helped you understand the importance of a strong password when safeguarding your personal data.

About the Author
IDStrong Logo

Related Articles

How To Make Your IG Account Private

There are occasions when it makes more sense to have a private Instagram (IG) account. You might w ... Read More

Windows 10 Privacy Settings You Should Change Now

Privacy is a buzzword we hear a lot these days in the wake of data breaches, Wikileaks, and other ... Read More

How to Delete Your Facebook Account

It might seem absurd to some people who live on Facebook, deleting your Facebook account. But, man ... Read More

How to Change Network From Public to Private On Windows

Privacy has become a major concern for many of us after reading about all the data breaches, hacki ... Read More

Twitter Security and Privacy Settings Made Simple

With data breaches and ransomware intrusions in the news daily, privacy is the word on everyone’ ... Read More

Latest Articles

What You Need to Know about the Hot Topic Data Breach

What You Need to Know about the Hot Topic Data Breach

Hot Topic plays in the fashion, apparel, and shoe industry as a retailer of music-influenced apparel and accessories, such as jeans, tops, belts, dresses, pajamas, sunglasses, jewelry, and tees.

Google Voice Scams: What They Are and How to Stay Safe

Google Voice Scams: What They Are and How to Stay Safe

Google Voice scams continue to pose a risk for users of this service. Scammers continuously attempt to lure users into divulging their verification PIN code.

What Are Pretexting Attacks: Scam Types and Security Tips?

What Are Pretexting Attacks: Scam Types and Security Tips?

Have you ever received a text from someone you do not know? Did you become alarmed by the message? Did the message contain information about you and the people you know?

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Notice

By proceeding with this scan, you agree to let IDStrong run a Free Scan of supplied parameters of your personal information and provide free preliminary findings in compliance with our Terms of Use and Privacy Notice. You consent to us using your provided information to complete the Free Scan and compare it against our records and breach databases or sources to provide your Free preliminary findings report.

Rest assured: IDStrong will not share your information with third parties or store your information beyond what is required to perform your scan and share your results.

Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address
Close