Home › Blog ›
Password Entropy: How Strong Is Your Password Really?
Password Security
🔢 Password Entropy: How Strong Is Your Password Really?
By AY Tanoli, · 25 May 2026 · 3 min read · 0 words
The mathematics behind password entropy is straightforward: entropy in bits equals log₂ of the character set size raised to the power of password length. A 12-character password using uppercase, lowercase, digits, and symbols (94 characters) has approximately 78.6 bits of entropy. That same length using only lowercase letters drops to just 56.4 bits, a massive reduction in cracking difficulty.
Understanding this math helps you make informed security decisions, but applying it manually is impractical. NordPass automates the process with its built-in password generator, allowing you to specify length and character sets while the software handles the cryptographic random generation. For a deeper dive into your password security, 1Password's Watchtower feature provides entropy estimates and flags weak or reused credentials across your entire vault.
Password entropy is a measurement of unpredictability, expressed in bits. Each bit of entropy represents a doubling of the number of possible combinations an attacker would have to test to guess your password. A password with 40 bits of entropy has roughly one trillion possible variations, while a password with 80 bits has more combinations than there are grains of sand on Earth many times over. The higher the entropy, the longer a brute-force attack takes, and the more resistant your password becomes to modern cracking hardware.
Crucially, entropy measures the process used to create a password, not the final string itself. A password that looks random to a human may have very low entropy if it was chosen from a small or predictable set of options. This is why "how strong is my password?" is really a question about how it was generated.
The Math Behind the Bits
Entropy is calculated with a simple formula: the number of bits equals the length of the password multiplied by the base-2 logarithm of the size of the character pool. In plain terms, it depends on two things — how many characters you choose from, and how many characters long the password is.
Lowercase letters only (26 characters): about 4.7 bits per character
Lowercase and uppercase (52 characters): about 5.7 bits per character
Letters and digits (62 characters): about 5.95 bits per character
Full keyboard with symbols (94 characters): about 6.55 bits per character
This reveals an important truth: length contributes far more to strength than complexity. Adding one more character to a password increases its entropy by a fixed number of bits, but every added character multiplies the total search space. A 16-character password drawn from only lowercase letters is dramatically stronger than an 8-character password packed with symbols.
Why Human-Chosen Passwords Fail
The entropy formula assumes every character is chosen randomly and independently. Human-created passwords almost never meet this standard. We substitute predictable symbols (the @ for an "a," a 3 for an "e"), append the current year, capitalize the first letter, and end with an exclamation point. Attackers know these patterns and bake them directly into their cracking dictionaries.
As a result, a password like "P@ssw0rd2026!" might appear to have high entropy on paper, but its real-world entropy is a tiny fraction of that estimate because it follows well-known rules. True entropy only comes from genuine randomness — the kind a computer provides and a human brain cannot.
How Much Entropy Is Enough?
The right target depends on what you are protecting and who might attack it. As a general guideline:
Under 28 bits: Very weak — crackable almost instantly.
28–50 bits: Weak to moderate — vulnerable to determined attackers with consumer hardware.
60–80 bits: Strong — suitable for important personal accounts.
100+ bits: Very strong — appropriate for encryption keys, master passwords, and high-value targets.
For most people, aiming for 70 to 80 bits of entropy strikes a practical balance between security and usability. This is easily achieved with a randomly generated password of 12 to 14 characters using a full character set, or with a passphrase of five or six random words.
Passphrases: High Entropy You Can Remember
Random character strings deliver excellent entropy but are hard to memorize. Passphrases offer a compelling alternative. By selecting several truly random words from a large word list, you can build a password that is both strong and human-friendly. A six-word passphrase chosen from a 7,776-word list carries roughly 77 bits of entropy — comparable to a strong random string, yet far easier to recall and type.
Generating Genuine Randomness
Because the human brain is a poor source of randomness, the safest path to high entropy is a cryptographically secure generator. A trustworthy password generator draws from your operating system's secure random source, ensuring every character is independent and unpredictable. When you let a generator do the work, the entropy estimate it reports actually reflects reality — and that is the whole point of measuring it.
Understanding entropy turns password security from guesswork into mathematics. Once you know how the bits add up, choosing a length and character set that protects your accounts becomes a deliberate, confident decision rather than a hopeful one.
We use cookies to improve your experience. Learn more
What Password Entropy Actually Measures
Password entropy is a measurement of unpredictability, expressed in bits. Each bit doubles the number of possible combinations an attacker must try. A password with 40 bits of entropy has roughly one trillion possible variations, while 80 bits pushes that figure beyond the reach of any current hardware. The formula is straightforward: entropy equals length multiplied by the base-2 logarithm of the character pool size. This means both length and variety contribute, but length is the dominant factor.
Calculating Entropy With Real Examples
Consider the difference between common password choices and how their strength scales:
"password" — eight lowercase letters drawn from a pool of 26 yields about 37 bits, cracked almost instantly.
"P@ssw0rd1" — nine mixed characters look complex but only reach roughly 52 bits because predictable substitutions are well known to cracking tools.
"correct-horse-battery-staple" — four random dictionary words deliver around 44 bits per word combination, often exceeding 80 bits total while remaining memorable.
A 16-character random string from all 94 printable ASCII characters produces about 104 bits, considered effectively unbreakable.
Why Predictability Destroys Entropy
The mathematical entropy assumes truly random selection. In practice, humans choose patterns: capitalizing the first letter, appending a number, or swapping "a" for "@". Attackers exploit these habits with rule-based dictionaries, so a password that scores high on paper may fall in seconds. Genuine randomness is the only reliable defense.
Practical Steps to Raise Your Entropy
Favor length over complexity — aim for at least 16 characters.
Use a passphrase of four or more unrelated random words.
Rely on a password manager to generate and store high-entropy strings.
Never reuse passwords across accounts, regardless of their strength.