Password Entropy: Definition and How to Calculate It
6 min read
What is Password Entropy?
Hackers use sophisticated software to make brute-force attacks on user passwords. It can automatically make thousands of attempts to guess a weak login credential in less than an hour.
This is alarming, but luckily, higher password strength requires much longer brute-force attacks to crack it. That's because stronger passwords have more entropy.
In information theory and mathematics, entropy measures the uncertainty of a variable's outcome. This can be applied to user passwords in terms of how predictable the password is.
So, password entropy is a measure of how easy (or difficult) it is to crack algorithmically guess the password. In other words, it shows how effective it is against attacks by hackers.
High entropy passwords use many different variables, such as special characters, to lower the probability of it being guessed. In turn, low entropy user passwords contain known phrases and often use only lowercase letters.
Generally, you should consider these factors when increasing password strength:
- Length
- Lowercase letters
- Uppercase letters
- Special characters
- Numbers
In terms of sheer probability, passphrase length is the most important one, but other factors account for it as well. Four-character passwords with only numbers can be guessed in a few seconds. If you add ten characters and mix uppercase with lowercase letters, it can take up to a year or even more.
What Are Bits of Entropy?
Bits of entropy quantitatively represent password strength. Having such an objective measure helps to compare combinations and choose the safest one.
In information theory, one bit is a binary value with equal probability. For example, an already-known password is valued at 0 bits since you don't need to guess it. A password that can be guessed on the first attempt is evaluated at 1 bit.
However, passwords have many more states than simply being known or requiring one guess. That's why we have a much wider range of bits of entropy to consider.
A password with over 120 bits is strong, and every combination below 60 is weak. A rule of thumb for protecting sensitive login credentials is to use a password with more than 64 bits. Here's an example: #CometVPN777+
Such a password is much more difficult to brute force for hackers and, all else being equal, makes your account safer. Calculating bits for such complex password combinations requires a base-2 logarithm formula - E = log2(R ^L)
The formula takes the total number of possible characters (R), raises it to the power of password length (L), and converts it into password entropy bits (E). Our #CometVPN777+ password is around 85 bits strong.
For those interested in the underlying math, we've included a step-by-step explanation at the end of the article. However, you can get a fairly good idea from online calculators. Just make sure to use ones that don't require you to enter your password.
The table below should also give you a good idea of passwords and their evaluation in bits.
Why is Password Entropy Important?
It's well known that factors such as using the same password for multiple accounts weaken it while the math used to calculate password entropy will not necessarily show it. That's because some password combinations, while being tough to crack in mathematical terms, are well-known to hackers.
So-called dictionary attacks use lists of frequently entered passwords. It can be a simple dictionary or a database of passwords leaked into the dark web. For example, a password P@ssw0rd might have well over 50 bits, but it's likely one of the first ones to be entered by hackers.
Password uniqueness can't be quantitatively measured in bits, but it shouldn't discourage you from measuring password entropy. Using a high entropy password saves you from almost any other type of password attack.
A brute force attack will easily break a low-entropy password, even if it is an extremely unique one. At the same time, a well-known but high-entropy password will be safe against brute force attacks only if the hacker doesn't use a common password list.
Ensuring a high password entropy rating is necessary for your password strength, but it isn't the only thing to care about. Creating unique passwords, changing them frequently, and keeping them a secret are equally important.
What's the Difference Between Password Complexity and Entropy?
It's a common misconception that password complexity equals password entropy. While the concepts are related, they are not the same.
Complexity refers to the possible character range (R) of a password. That's why most systems ask users to create passwords with a certain amount of different characters. Usually, it also raises the password entropy, but that's not a given.
A shorter but more complex password will still be easier to crack than a less complex but lengthier one. That's because when calculating the bits of entropy, we must take into account both overall length (L) and character range (R).
For example, password 1@x!A has only 32 bits, is easy to crack, and is difficult to remember. For comparison, password veryreliableVPN has over 85 bits and is easier to remember but harder to crack.
You shouldn't aim to create passwords that are overly complex and difficult to remember. Neither should you aim for long passwords that use only a few different characters.
Instead, the goal is to create passwords that have a high entropy but are fairly easy to remember. Usually, the sweet spot lies somewhere in the middle. For example, rel1@bl3VPN! is 78 bits.
How Can You Calculate Password Entropy?
One of the main things password entropy teaches us is that phrases difficult to brute force aren't necessarily overly complex. Understanding the calculus behind password entropy helps to find the right balance.
As mentioned, the password entropy formula is E = log2(R^L). Let's take the password rel1@bl3VPN! as an example to demonstrate how the calculation works.
Total number of possible characters
We get the total number of possible characters (R) by adding all variations of each character type used. Our example password uses all four types of characters.
- Lowercase letters (a-z) - 26
- Uppercase letters (A-Z) - 26
- Special Characters (@#!?.&*^%*) - 32
- Digits (0-9)- 10
So, we have a total of 94 possible characters for rel1@bl3VPN! and can fill in the first variable in our equation.
E = log2(94^L)
A password without some character type would have fewer variations. For example, reli@bleVPN! has only 84, even though it uses more lowercase letters.
Note that we assume a standard Latin alphabet, US QWERTY keyboard layout, and a decimal numerical system. Changing any of these measures will alter your calculations.
Password length
The length of a password is easier to calculate because it's simply the number of characters used in the phrase. Each character counts once, no matter the type.
In the case of rel1@bl3VPN! it's 12, which we use to raise 94 and add to our equation.
E = log2(94^12) = log2(475920314814253376475136)
Base-2 logarithm
The final step is to use the base-2 logarithm to represent binary bits. So, our equation looks as follows.
E = log2(94^12) = 78.65
We can conclude that our example password rel1@bl3VPN! is of 78.65 bits of entropy. While it's a very strong password, we recommend using something you think of yourself to make it more unique.
The same calculations can be used to check the entropy of any password. It's a good idea to calculate bits of entropy with this formula for all of your passwords before using them.
Conclusion
High password entropy is crucial for impenetrable passwords. You don't need to do the logarithmic math in your head, though. The thing to remember is that a more complex passphrase is not necessarily safer. A high entropy password balances both total length and possible character variations.
Related articles
4 min read
Best Residential VPN Providers in 2024
A Virtual Private Network (VPN) encrypts your traffic and hides your IP address. The way these functions are accomplished affects various aspects of your online privacy and security. Here, we'll consider using residential IP addresses instead of those originating from a data center. A residential VPN has advantages compared to traditional ones, but there are some caveats. It all boils down to residential VPN providers. The worst ones may even create more risks than benefits. We'll end this article with a list of the best residential VPN providers on the market.
3 min read
Ethernet vs Wi-Fi: Which One is Better?
Ethernet and Wi-Fi are the two main ways to connect your computer to the internet. While Wi-Fi has received significantly more attention in recent years, especially among consumers, due to its simplicity and flexibility, ethernet is still widely used in various other applications. Even if Wi-Fi is significantly more popular, it isn’t strictly better. Both methods have their benefits and drawbacks. Wi-Fi’s popularity comes from its ease-of-use and flexibility, but an ethernet connection can be much more useful in certain scenarios.
4 min read
How to Change Chrome Proxy Settings: The Ultimate Guide
A proxy server is an easy alternative to a VPN that can perform most of the functions of the latter. It’s a server that stands between your device and the destination server, taking your connection requests and forwarding them in your name. Destination servers in almost all cases see the proxy server as the originator of the request. As such, proxies are widely used in various, mostly business-related applications whenever privacy, security, location changing, and several other factors are at play.