Password Entropy
Entropy measures password strength in bits. Higher entropy = harder to crack.
The Formula
Entropy = log₂(C^L)
= L × log₂(C)
Where:
- C = Number of possible characters
- L = Password length
Character Set Sizes
| Character Set | Size (C) | Example |
|---|
| Alphanumeric | 62 | a-z, A-Z, 0-9 |
|---|
| + Symbols | 95 | Full ASCII printable |
|---|
Entropy Examples
4-digit PIN: log₂(10^4) = 13.3 bits
8 char lowercase: log₂(26^8) = 37.6 bits
8 char mixed case: log₂(52^8) = 45.6 bits
8 char + numbers: log₂(62^8) = 47.6 bits
8 char + symbols: log₂(95^8) = 52.6 bits
12 char mixed: log₂(62^12) = 71.5 bits
16 char mixed: log₂(62^16) = 95.3 bits
How Long to Crack?
At 1 trillion guesses/second:
| Entropy | Combinations | Time to Crack |
|---|
| 40 bits | 1.1 × 10^12 | 1 second |
|---|
| 50 bits | 1.1 × 10^15 | 18 minutes |
|---|
| 60 bits | 1.2 × 10^18 | 13 days |
|---|
| 70 bits | 1.2 × 10^21 | 37 years |
|---|
| 80 bits | 1.2 × 10^24 | 38,000 years |
|---|
| 128 bits | 3.4 × 10^38 | Heat death of universe |
|---|
Recommendations
- Minimum: 60 bits (important accounts)
- Good: 70-80 bits (sensitive data)
- Excellent: 90+ bits (critical systems)