Password Entropy

What is entropy?

Entropy is a measure of unpredictability. In the context of passwords, it quantifies how many guesses an attacker would need to find your password. Higher entropy means a stronger password.

Entropy is measured in bits. Each bit of entropy doubles the number of possible combinations. A password with 40 bits of entropy has about 1 trillion (2⁴⁰) possible values.

Why length beats complexity

Many people believe that adding special characters and mixed case makes a password strong. While character variety helps, length matters far more.

Consider these examples:

• P@ss1! — 6 characters, limited entropy despite special characters
• correct horse battery staple — 28 characters from a word list, very high entropy

A longer password made of common words is stronger than a short password full of symbols. This is because the total entropy depends on both the alphabet size and the length.

The formula is: entropy = length × log₂(alphabet_size)

Why passphrases are practical

Passphrases — sequences of random words — are both strong and memorable. A 4-word passphrase from a 2048-word dictionary has about 44 bits of entropy. A 6-word passphrase has about 66 bits.

Passphrases are easier to type, easier to remember, and harder for computers to crack than traditional "complex" passwords.

Why you should never reuse passwords

Password reuse is one of the most common ways accounts get compromised. When one service suffers a data breach, attackers try the same credentials on other services — a technique called credential stuffing.

Use a unique password for every account. A password manager makes this practical. Generate strong, unique passwords right here in your browser with RandKit.