Home › Blog ›
Password Entropy: How Randomness Determines Security
Cybersecurity Education
π’ Password Entropy: How Randomness Determines Security
By AY Tanoli, · 1 Jun 2026 · 3 min read · 0 words
Password entropy is the measure of unpredictability in a password, expressed in bits. Each bit of entropy doubles the number of guesses an attacker must try. A password with 40 bits of entropy, roughly the strength of a typical 8-character mix, can be cracked in minutes by modern hardware. At 80 bits, cracking becomes impractical; at 128 bits, it is effectively impossible with current technology.
Generating high-entropy passwords by hand is nearly impossible because humans are terrible at randomness. That is why a dedicated password manager with a cryptographic random number generator is essential. NordPass generates passwords with configurable entropy levels, stores them in an encrypted vault, and autofills them across your browsers and devices. With NordPass, you never need to remember another password, just one strong master password.
Password entropy is a measurement of how unpredictable a password is, expressed in bits. Each additional bit of entropy doubles the number of possible combinations an attacker would have to try in order to guess the password by brute force. A password with 40 bits of entropy has roughly one trillion possible variations, while a password with 80 bits has more combinations than there are grains of sand on Earth. Entropy, in short, is the mathematical language we use to describe randomness β and randomness is the single most important factor in determining whether a password can withstand a determined attacker.
The critical insight is that entropy measures the process used to create a password, not the password itself. A password that looks complicated to a human may have very little entropy if it was generated using a predictable pattern. True security comes from genuine, mathematical randomness.
How Entropy Is Calculated
The formula for password entropy is straightforward. Entropy in bits equals the length of the password multiplied by the base-2 logarithm of the size of the character pool. In practical terms:
Character pool size β Lowercase letters alone offer 26 possibilities per character. Adding uppercase brings it to 52, digits push it to 62, and including symbols can raise it to 95 or more.
Length β Each additional character multiplies the total number of combinations by the pool size, making length the most powerful lever for increasing entropy.
Randomness of selection β The formula only holds true if every character is chosen independently and uniformly at random.
For example, a 12-character password drawn randomly from a 95-character pool yields about 79 bits of entropy. The same length using only lowercase letters drops to roughly 56 bits. This is why both length and character variety matter, though length usually delivers the biggest gains.
Why Human-Chosen Passwords Fail
Human brains are pattern-making machines, which is precisely why people are terrible random number generators. When asked to invent a "random" password, most people unconsciously rely on familiar structures: a capitalized first letter, a word from their vocabulary, a memorable date, and an exclamation point at the end. Attackers know these habits intimately and build their cracking tools around them.
This is the gap between theoretical entropy and effective entropy. The password "P@ssw0rd123!" appears to contain twelve mixed characters and might score highly on a naΓ―ve calculator. In reality, its effective entropy is close to zero because it sits at the very top of every password-cracking dictionary. The substitutions are predictable, the structure is common, and modern hardware can test billions of such guesses per second.
The Role of a Good Generator
The only reliable way to achieve high entropy is to remove human judgment from the creation process. A cryptographically secure random number generator (CSRNG) selects each character with equal probability and no detectable bias, ensuring that the theoretical entropy and the effective entropy are one and the same. When randomness is guaranteed, an attacker has no shortcut β their only option is to try every possibility, which becomes computationally impossible at sufficient entropy levels.
When evaluating how much entropy you actually need, consider the threat:
Under 50 bits β Vulnerable to offline cracking; suitable only for trivial, throwaway accounts.
60 to 80 bits β Strong for most personal and business accounts when paired with rate limiting.
100 bits or more β Appropriate for encryption keys, master passwords, and high-value secrets that must resist nation-state resources for decades.
Passphrases: Entropy You Can Remember
Randomness does not have to mean an unmemorable string of symbols. Diceware-style passphrases generate entropy by selecting whole words at random from a large list. Each word from a 7,776-word list contributes about 12.9 bits of entropy, so a six-word passphrase delivers roughly 77 bits β comparable to a strong random character password, yet far easier for a human to recall. The key is that the words must be chosen randomly, not picked by you.
Key Takeaways
Entropy is the truest measure of password strength because it quantifies unpredictability rather than superficial complexity. To maximize it, prioritize length, draw from a large character set, and β most importantly β rely on a cryptographically secure generator rather than your own imagination. Randomness, not cleverness, is what stands between your accounts and a successful attack.
We use cookies to improve your experience. Learn more
What Password Entropy Actually Measures
Entropy quantifies unpredictability, measured in bits. Each additional bit doubles the number of guesses an attacker must attempt. A password drawn randomly from a pool of possibilities has entropy equal to the base-2 logarithm of the total combinations. The formula is straightforward: entropy equals length multiplied by the log base 2 of the character set size.
How Character Sets Change the Math
The size of your character pool directly scales the difficulty of cracking. Consider how each choice expands the search space an attacker must traverse:
Lowercase letters only: 26 possible characters, roughly 4.7 bits per character.
Adding uppercase: 52 characters, about 5.7 bits each.
Including digits: 62 characters, near 5.95 bits each.
Full symbols and punctuation: 95 characters, approximately 6.57 bits each.
A 12-character password using the full 95-character set delivers around 78 bits of entropy, which resists offline brute-force attacks for centuries with current hardware.
Why Randomness Beats Length Alone
A long password is not automatically strong. The phrase "passwordpassword" is 16 characters but carries almost no entropy because it is predictable. True entropy requires genuine randomness in the selection process. Human-chosen passwords cluster around dictionary words, dates, and keyboard patterns, slashing their effective entropy far below the theoretical maximum.
Practical Recommendations
To maximize entropy and protect your accounts, follow these evidence-based practices:
Use a password manager to generate truly random strings.
Aim for at least 80 bits of entropy for sensitive accounts.
Favor passphrases of five or more random words for memorability.
Never reuse passwords across different services.
Entropy is the mathematical foundation of password security, and understanding it transforms how you evaluate every credential you create.