Password Entropy Calculator

Omni's password entropy calculator can help you estimate how strong your password is and, if need be, come up with a new, stronger password.

"Is it even possible to compute how good my password is?", you wonder. Which type of password would be considered secure? How can one measure password strength? The secret method is called password entropy.

In the text below, we explain what password entropy is and how to calculate it. And, of course, give you a formula for password entropy. The next time you see the message that "your password must contain upper case letters and numbers", you will know perfectly well what this is all about and why this requirement is there!

You may have already encountered the word entropy when learning thermodynamics. In the context of passwords, this word signifies a measure of password strength, i.e., how effective a password is against adversaries who try to guess it or use a brute-force attack. A brute force attack means that someone sets up a script to try all possible combinations of characters to find the password. Such a method eventually would determine your password, provided that the adversary knows the set of characters from which the password consists.

So your only chance is to use a password that would take a very long time to guess (optimally, several millions of years).

The number of trials an adversary would need to guess your password is an excellent measure of password strength. This measure is known as password entropy.
We express it in terms of bits – if a password has n bits of entropy, an attacker needs at most 2ⁿ guesses.

Therefore, in principle, the greater the entropy, the better a password, at least when it comes to resisting brute force attacks. Of course, statistically, an attacker will guess the password earlier than at the last attempt. Therefore, we often take the number of guesses required to have a 50% chance of finding the password as a measure of password strength. This is half the number of attempts to guess with a 100% certainty – if a password has n bits of entropy, an attacker needs, on average, 2^{n - 1} guesses.

Have you ever heard someone saying, "my password is too complex to remember" instead of "the entropy of my password is really high"? That's because entropy and complexity are closely related concepts. Learn more about complexity in programming at our cyclomatic complexity calculator.

"So how good is my password?", you think nervously. You will find out in no time!

1. For each common symbol type (lower case letters, upper case letters, numbers, etc.), enter how many characters of that type there are in your password. Our calculator does not require you to enter the password – you're 100% safe!

2. Our password entropy calculator returns the number of bits of entropy in your password as well as tells you how strong your password is.

3. Using the Custom characters section of the calculator, you can also add up to three custom pools and set their respective sizes.

Here's a mathematical recipe for how to calculate password entropy:

E = log₂(R^L)

where:

• R — Size of the pool of unique characters from which we build the password; and
• L — Password length, i.e., the number of characters in the password.

Using the properties of logarithms, we can rewrite the above formula as:

E = L × log₂(R)

That is, we can compute the password entropy by first finding the entropy of one character in the set of R characters, which is equal to log₂R, and then multiplying it by the number of characters in the password, i.e., by L.

If you are not happy with log base 2, you can use the log change of base formula to obtain:

E = L × log(R) / log(2)

where log is to any base.

What we can immediately deduce from the password entropy formula is that increasing either L or R will strengthen the password. Hence, to have a stronger password, you must either expand the pool of characters or make the password longer. In particular, a longer password from a smaller pool can be as effective as a shorter yet more complex one!

We calculate password entropy by first looking at the pool of characters a password is made from. Here's a summary of the most important pools:

To determine the pool size for your password, go through the table above. If your password contains at least one character from a given category, then mark this category.

Then add the sizes of the categories that you've marked. For example:

• The password incorrect has a pool of 26 characters (lowercase letters);

• Changing the password to Incorrect would increase the pool to 52 characters (lower case and upper case letters);

• Changing it further to IncoRRect77 would increase the pool to 62 characters (lower case, upper case letters, numbers); and

• Finally, IncoRRect77$%& has the pool of 26 + 26 + 10 + 32 = 94 characters (lower case, upper case letters, numbers, and special symbols).

The other quantity you need to know to compute your password's entropy is the password length. Nothing complicated here; you just need to count the characters. Continuing our example, both incorrect and Incorrect have 9 characters, IncoRRect77 has 11 characters, and Incorrect77$%& has 14 characters.

Once you know the pool size R and the password length L, the last step to determine password entropy is to apply the formula:

E = log₂(R^L)

or:

E = L × log₂(R),

whichever you like better. We will use the latter one.

In our example:

• For incorrect, we have R = 26 and L = 9, so:

  E = 9 × log₂(26) ≈ 9 × 4.700 ≈ 42.3 bits

• For Incorrect, we have R = 52 and L = 9, so:

  E = 9 × log₂(52) ≈ 9 × 5.700 ≈ 51.3 bits

• For IncoRRect77, we have R = 62 and L = 11, so:

  E = 11 × log₂(62) ≈ 11 × 5.954 ≈ 65.5 bits

• For IncoRRect77$%&, we have R = 94 and L = 14, so:

  E = 14 × log₂(94) ≈ 14 × 6.5545 ≈ 91.76 bits

⚠️ Never rely solely on entropy to decide whether to use a particular password!

Password entropy is just one aspect of deciding which type of password would be considered secure. It may happen that two passwords have the same entropy, and one of them is reasonably strong while the other is extremely weak.

This is because of password dictionaries, which are lists of leaked passwords that are available online. Using such lists is known as a dictionary attack, and any attacker attempting to unlock your account would try it before moving on to a brute force attack. So, if you use a password that is in a dictionary of common passwords, it doesn't matter how many bits of entropy this password contains - it will get broken very quickly!