By Anna Szczepanek, PhD
Last updated: May 05, 2021

The number of trials an adversary would need to guess your password is an excellent measure of the password strength. This measure is known as password entropy. We express it in terms of bits - if a password has `n` bits of entropy, an attacker needs at most `2n` guesses.

Therefore, in principle, the greater the entropy, the better a password, at least when it comes to resisting brute force attacks. Of course, statistically, an attacker will guess the password earlier than at the last attempt. Therefore, we often take the number of guesses required to have a 50% chance of finding the password as a measure of password strength. This is half the number of attempts to guess with a 100% certainty - if a password has `n` bits of entropy, an attacker needs on average `2n - 1` guesses.

## How to use this password entropy calculator?

"So how good is my password?", you think nervously. You will find out in no time!

1. For each common symbol type (lower case letters, upper case letters, numbers, etc.), enter how many characters of that type there are in your password. Our calculator does not require you to enter the password - you're 100% safe!

3. Using the `Advanced mode` of our password entropy calculator, you can customize the size of the special symbols pool.

4. Using the `Advanced mode`, you can also add up to three custom pools and set their respective sizes.

Here's a mathematical recipe for how to calculate password entropy:

`E = log2(RL)`,

where:

• `R` - Size of the pool of unique characters from which we build the password; and
• `L` - Password length, i.e., the number of characters in the password.

Using the properties of logarithms, we can rewrite the above formula as:

`E = L * log2(R)`.

That is, we can compute the password entropy by first finding the entropy of one character in the set of `R` characters, which is equal to `log2R`, and then multiplying it by the number of characters in the password, i.e., by `L`.

If you are not happy with log base 2, you can use the log change of base formula to obtain:

`E = L * log(R) / log(2)`,

where `log` is to any base.

What we can immediately deduce from the password entropy formula is that increasing either `L` or `R` will strengthen the password. Hence, to have a stronger password, you must either expand the pool of characters or make the password longer. In particular, a longer password from a smaller pool can be as effective as a shorter yet more complex one!

 💡 If you are familiar with the concept of Shannon entropy, you may notice that password entropy is equal to the Shannon entropy of the uniform distribution on the set of all passwords (strings) of length `L` with elements drawn from the set of `R` possible symbols. Clearly, there are `RL` such passwords.

## How to calculate password entropy? Examples

We calculate password entropy by first looking at the pool of characters a password is made from. Here's a summary of the most important pools:

PoolElementsPool size
Digits 0-9 10
Lower case Latin letters a-z26
Upper case Latin letters A-Z 26
Latin letters a-z, A-Z 52
Alphanumeric a-z, 0-936
Alphanumeric & Upper Case a-z, A-Z, 0-962
Special symbols (typical U.S. keyboard) `~!@#\$%^&*()-=_+[{]}\|;':",.<>/?32

To determine the pool size for your password, go through the table above. If your password contains at least one character from a given category, then mark this category. Then add the sizes of categories that you've marked. For example:

• The password incorrect has a pool of `26` characters (lower case letters);
• Changing the password to Incorrect would increase the pool to `52` characters (lower case and upper case letters);
• Changing it further to IncoRRect77 would increase the pool to `62` characters (lower case, upper case letters, numbers); and
• Finally, IncoRRect77\$%& has the pool of `26 + 26 + 10 + 32 = 94` characters (lower case, upper case letters, numbers, and special symbols).

The other quantity you need to know to compute your password's entropy is the password length. Nothing complicated here, you just need to count the characters. Continuing our example, both incorrect and Incorrect have `9` characters, IncoRRect77 has `11` characters, and Incorrect77\$%& has `14` characters.

Once you know the pool size `R` and the password length `L`, the last step to determine password entropy is to apply the formula `E = log2(RL)` or `E = L * log2(R)`, whichever you like better. We will use the latter one.

In our example:

• For incorrect, we have `R = 26` and `L = 9`, so

`E = 9 * log2(26) ≈ 9 * 4.700 ≈ 42.3 bits`;

• For Incorrect, we have `R = 52` and `L = 9`, so

`E = 9 * log2(52) ≈ 9 * 5.700 ≈ 51.3 bits`;

• For IncoRRect77, we have `R = 62` and `L = 11`, so

`E = 11 * log2(62) ≈ 11 * 5.954 ≈ 65.5 bits`;

• For IncoRRect77\$%&, we have `R = 94` and `L = 14`, so

`E = 14 * log2(94) ≈ 14 * 6.5545 ≈ 91.76 bits`.

## Password entropy is NOT all that matters!

⚠️ Never rely solely on entropy to decide whether to use a particular password!

Password entropy is just one aspect of deciding which type of password would be considered secure. It may happen that two passwords have the same entropy, and one of them is reasonably strong while the other is extremely weak. This is because of password dictionaries, which are lists of leaked passwords that are available online. Using such lists is known as a dictionary attack, and any attacker attempting to unlock your account would try it before moving on to a brute force attack. So, if you use a password that is in a dictionary of common passwords, it doesn't matter how many bits of entropy this password contains - it will get broken very quickly!

## FAQ

### How do I create a strong password?

1. Make sure your password cannot be found in any dictionary of leaked passwords. Make it as unique as possible.
2. Increase the length of the password.
3. Enlarge the pool of symbols from which you take characters. Use lower case letters, upper case letters, digits, and special symbols.

### When is a password secure?

A password is secure if it has at least 50 bits of entropy and does not appear in any list of leaked passwords.

### How much entropy does my password have?

1. Determine the length of your password - how many characters there are.
2. Calculate the size of the pool of symbols from which you've taken the characters. For instance, if you only use lower case letters, the pool size is 26. If you additionally use some digits, the pool size is already 36.
3. Compute the entropy as password its length times the log of the pool size to base 2.

### How many bits of entropy for a good password?

For non-vital accounts, 25-30 bits of entropy are enough. For more important accounts, aim for 60-80 bits of entropy, up to 100 for crucial ones.

### How to calculate password strength?

Password strength is quantified by password entropy, which is the log of the number of trials an adversary would have to make in order to guess your password.

Anna Szczepanek, PhD
Enter how many characters of each type there are in your password:
Lower case Latin letters
Upper case Latin letters
Digits
Special characters
Click the Advanced mode if your password uses symbols from other character pools. You can define up to three custom pools - just enter their size.
Result
0
bits
People also viewed…

### 3D render time

The 3D render calculator estimates how long your animation will take to render. Need to meet a deadline? Find out the maximum render time per frame or how many machines you need to finish on time.

### BMR - Harris-Benedict equation

Harris-Benedict calculator uses one of the three most popular BMR formulas. Knowing your BMR (basal metabolic weight), may help you make important decisions about your diet and lifestyle.

### Circle skirt

Circle skirt calculator makes sewing circle skirts a breeze.

### Screen size

The screen size calculator finds the physical dimensions such as height and width, and the area of the screen. 