PasswordCrunch.com
Password Security · 6 min read

What Is Password Entropy? A Plain English Explanation

Entropy is one of those words that sounds technical but describes a simple idea: how hard would it be to guess this password? Here is what entropy actually measures, how to read the numbers and why the single biggest thing you can do for password security is add more characters.

Entropy in one sentence

Password entropy is a measure of how unpredictable a password is, expressed in bits. The higher the number, the more guesses an attacker would need to crack it, and the longer it would take. That is all it means. The word "entropy" comes from information theory — the same field that gave us data compression — and measures the amount of uncertainty in a system.

How entropy is calculated

The formula is: entropy = length × log₂(character set size).

The character set size is the number of possible characters at each position in the password. If your password uses only lowercase letters, that is 26 options per character. Add uppercase and it becomes 52. Add numbers and it is 62. Add the common symbols on a standard keyboard and it reaches 94.

The log₂ part converts that pool size into bits. A pool of 94 characters gives you log₂(94) ≈ 6.55 bits per character. So a 16-character password using the full character set has approximately 16 × 6.55 = 105 bits of entropy.

What does 105 bits mean in practice? It means there are 2¹⁰⁵ possible combinations — a number with 31 digits. Even if an attacker could test a trillion combinations per second, it would take longer than the age of the universe to exhaust all possibilities.

What the numbers mean in practice

Entropy range Rating What it means
Under 28 bits Weak Crackable instantly by a modern computer
28–35 bits Weak Crackable in minutes to hours
36–59 bits Fair Reasonable for low-value accounts; crackable with effort
60–127 bits Strong Computationally expensive to crack; adequate for most uses
128 bits or more Very strong Essentially uncrackable with foreseeable technology

Why length beats complexity

This is the most important practical lesson from entropy maths. Each character you add to a password multiplies the number of possible combinations by the character set size. Each character type you add increases the character set size — but only by a fixed amount.

Concrete example: a 12-character password using only lowercase letters has 12 × 4.7 = 56 bits of entropy. Add uppercase, numbers and symbols, giving you a 94-character pool, and you get 12 × 6.55 = 79 bits. An improvement, but not dramatic. Now extend the lowercase-only password to 20 characters: 20 × 4.7 = 94 bits — already stronger than the complex 12-character version, and easier to type.

Length wins because it scales linearly with entropy. Complexity has diminishing returns once you cover the main character types.

This is why NIST's updated guidelines focus on minimum length rather than complexity rules. Forcing users to add a symbol or number feels like adding security, but adding even two or three more characters to the length achieves more.

The problem with entropy estimates

Entropy calculations assume the password is truly random — that every character is independently chosen from the full pool with equal probability. Human-chosen passwords almost never meet this standard. When people pick a password, they favour certain letters, avoid unusual symbols, start with capitals and end with numbers. These patterns drastically reduce the effective entropy even if the raw calculation suggests strength.

A password like London2024! scores well on a naive entropy check — it is 10 characters, has uppercase, lowercase, numbers and a symbol. Its actual entropy is close to zero because it follows an obvious pattern that attackers test in their first few seconds of a dictionary attack.

This is why the most reliable way to achieve the entropy a password generator promises is to let it generate the password for you, using a cryptographically secure source of randomness rather than your own choices.

Entropy vs cracking time

Cracking speeds vary enormously depending on whether the attacker has your raw password hash or is attacking a live login system. A live system with rate limiting might only allow a few guesses per second. An offline attack against a stolen password database can run at billions of guesses per second on a modern GPU.

For passwords stored in well-designed systems using strong hashing algorithms (bcrypt, Argon2), even relatively low entropy passwords are protected. For passwords stored carelessly (plain text, MD5), high entropy is the only real defence. Because you cannot know how a service stores your password, the prudent choice is to treat every password as if it will be attacked offline.

Check yours

See your password's entropy score instantly

Paste any password into the strength checker and get an entropy rating, a strength label and a plain-English explanation of what it means — all in your browser with nothing sent to a server.

Open Password Strength Checker

This article is for general informational purposes. Entropy estimates assume true randomness. Human-chosen passwords typically have lower effective entropy than calculated values suggest.