Password Entropy
What is Password Entropy?
Password EntropyA measure, in bits, of the unpredictability of a password — higher entropy means more guesses are required for an attacker to recover it.
Password entropy quantifies how hard a password is to guess. For a uniformly random string drawn from an alphabet of size N with length L, entropy is L * log2(N) bits. Human-chosen passwords have far lower effective entropy because of dictionary words, predictable substitutions, and reused patterns, as Claude Shannon and later cryptographers have shown. NIST SP 800-63B Appendix A discusses why bit-counting is a weak model in practice and recommends length and breach-list screening over composition rules. Long passphrases such as the four random Diceware words popularized by the EFF (around 51 bits) plus a password manager are the practical way to reach attack-resistant entropy at human-typeable lengths.
● Examples
- 01
A 12-character random password from a 94-character alphabet has roughly 78 bits of entropy.
- 02
A 4-word EFF Diceware passphrase has about 51 bits of entropy, sufficient against most offline attacks.
● Frequently asked questions
What is Password Entropy?
A measure, in bits, of the unpredictability of a password — higher entropy means more guesses are required for an attacker to recover it. It belongs to the Identity & Access category of cybersecurity.
What does Password Entropy mean?
A measure, in bits, of the unpredictability of a password — higher entropy means more guesses are required for an attacker to recover it.
How does Password Entropy work?
Password entropy quantifies how hard a password is to guess. For a uniformly random string drawn from an alphabet of size N with length L, entropy is L * log2(N) bits. Human-chosen passwords have far lower effective entropy because of dictionary words, predictable substitutions, and reused patterns, as Claude Shannon and later cryptographers have shown. NIST SP 800-63B Appendix A discusses why bit-counting is a weak model in practice and recommends length and breach-list screening over composition rules. Long passphrases such as the four random Diceware words popularized by the EFF (around 51 bits) plus a password manager are the practical way to reach attack-resistant entropy at human-typeable lengths.
How do you defend against Password Entropy?
Defences for Password Entropy typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Password Entropy?
Common alternative names include: Entropy of a password, Guessing entropy.
● Related terms
- identity-access№ 795
Password
A secret string of characters that a user supplies to prove identity to a system, traditionally the dominant single-factor authentication mechanism.
- identity-access№ 798
Password Policy
A documented set of rules governing how user passwords are created, stored, rotated, and validated to balance security against usability for the workforce.
- identity-access№ 797
Password Manager
An application that generates, stores, and autofills strong unique credentials, secured by a master passphrase and increasingly by passkeys.
- identity-access№ 884
Pwned Password
A password that has appeared in a known data breach and therefore must never be allowed as a user secret, as catalogued by Troy Hunt's Have I Been Pwned service.
- cryptography№ 059
Argon2
A modern memory-hard password hashing function and KDF, winner of the 2015 Password Hashing Competition and specified in RFC 9106.
- cryptography№ 087
bcrypt
An adaptive password-hashing function based on the Blowfish cipher with a tunable cost factor, designed by Provos and Mazières in 1999.