Entropy in Passwords: What the Number Actually Means

Password strength calculators often display a number called entropy.

You might see messages such as:

40 bits of entropy
80 bits of entropy
128 bits of entropy

For many people, these numbers are confusing.

Is 80 good?

Is 128 overkill?

How does entropy relate to password length?

And why do security professionals care about it so much?

Understanding password entropy helps explain why some passwords can be cracked almost instantly while others would take longer than the age of the universe.

What Is Password Entropy?

Password entropy is a measurement of unpredictability.

In simple terms, entropy estimates how difficult it would be for an attacker to guess a password.

Higher entropy means:

More possible password combinations
Less predictability
Greater resistance to guessing attacks

Lower entropy means:

Fewer possible combinations
More predictability
Easier password cracking

Entropy is typically measured in bits.

Each additional bit doubles the number of possible password combinations.

Why Is It Called Entropy?

The term comes from information theory.

In information theory, entropy measures uncertainty.

A completely predictable outcome has low entropy.

A completely random outcome has high entropy.

Passwords follow the same principle.

Consider these examples:

password123

qwerty

letmein

These passwords are highly predictable.

Attackers know people use them frequently.

Their practical entropy is extremely low.

Now compare them with:

vK8#rP2!mZ4@tQ9

This password is far less predictable.

An attacker has many more possible combinations to consider.

Its entropy is much higher.

How Password Entropy Is Calculated

The basic entropy formula is:

Entropy = log₂(possible combinations)

Most password entropy calculations use:

Entropy = Length × log₂(Character Set Size)

The calculation estimates how many possible passwords could exist given the length and available character choices.

Example: Four-Digit PIN

A four-digit PIN can contain:

through

This creates:

10,000

possible combinations.

Entropy becomes:

log₂(10,000)

Approximately:

13.3 bits

A four-digit PIN has about 13 bits of entropy.

Example: Eight Lowercase Characters

Suppose a password contains only lowercase letters.

Available characters:

Password length:

Possible combinations:

26⁸

Approximately:

208 billion

Entropy:

8 × log₂(26)

Approximately:

37.6 bits

Example: Sixteen Random Characters

Suppose a password uses:

Uppercase letters
Lowercase letters
Numbers
Symbols

Total character set:

Password length:

Entropy:

16 × log₂(94)

Approximately:

105 bits

This is dramatically stronger than the previous example.

Why Every Extra Bit Matters

Entropy grows exponentially.

Each additional bit doubles the search space.

Entropy	Possible Combinations
20 bits	1 million
30 bits	1 billion
40 bits	1 trillion
50 bits	1 quadrillion
60 bits	1 quintillion
80 bits	1.2 septillion
128 bits	340 undecillion

This is why small increases in entropy can have enormous security impacts.

The Problem With Entropy Calculators

Many entropy calculators assume passwords are completely random.

Humans are not random.

Consider:

Summer2026!

A calculator may assign a relatively high entropy score because the password contains:

Uppercase letters
Lowercase letters
Numbers
Symbols

However, humans frequently create passwords using predictable patterns.

Attackers know this.

Real-world cracking tools prioritize:

Dictionary words
Seasons
Years
Common substitutions
Keyboard patterns

As a result, actual security may be much lower than the calculated entropy suggests.

The Difference Between Theoretical and Real Entropy

This distinction is important.

Theoretical Entropy

Assumes every character was chosen randomly.

Example:

xR7#Lm2@Q9$KpW5!

Theoretical entropy is usually accurate here.

Human-Generated Passwords

Example:

Summer2026!

The calculation may suggest strong entropy.

Actual predictability is much higher.

This reduces real-world security.

Why Password Length Matters So Much

Many people focus on complexity requirements.

Security professionals increasingly focus on length.

Compare:

P@ssw0rd!

with:

correct horse battery staple

The second password contains more characters and far more possible combinations despite being easier to remember.

Length often contributes more entropy than adding special characters.

This is one reason passphrases have become increasingly popular.

Password Entropy and Passphrases

Passphrases work differently from random character strings.

Consider a list of:

7,776 words

Choosing four random words creates:

7,776⁴

possible combinations.

Entropy:

4 × log₂(7776)

Approximately:

51.7 bits

Using five random words:

64.6 bits

Using six random words:

77.5 bits

This provides substantial security while remaining easier to remember.

What Entropy Is Considered Secure?

There is no universal threshold, but common guidelines are:

Entropy	Security Level
Under 30 bits	Weak
30–50 bits	Moderate
50–70 bits	Strong
70–100 bits	Very Strong
100+ bits	Extremely Strong

Modern password managers often generate passwords with well over 100 bits of entropy.

Online Attacks vs Offline Attacks

Entropy matters differently depending on the attack type.

Online Attacks

The attacker submits login attempts directly.

Systems usually enforce:

Rate limits
Account lockouts
CAPTCHA challenges

Even moderate entropy may provide sufficient protection.

Offline Attacks

An attacker obtains password hashes and attempts cracking locally.

No rate limits exist.

Attackers can perform billions of guesses per second using specialised hardware.

High entropy becomes far more important.

Most password entropy discussions focus on resisting offline attacks.

Does More Entropy Always Mean Better Security?

Generally yes, but only up to a point.

A password with:

180 bits

of entropy is stronger than one with:

120 bits

However, both are already beyond practical brute-force capabilities.

At some point, additional entropy provides little practical benefit.

Other security measures become more important.

These include:

Multi-factor authentication
Password managers
Account monitoring
Breach detection
Access controls

Why Password Managers Change Everything

Humans struggle to create and remember truly random passwords.

Password managers remove this limitation.

Instead of remembering:

vK8#rP2!mZ4@tQ9

for dozens of websites, users only need to remember one master password.

The manager can generate high-entropy passwords automatically.

This dramatically improves security across all accounts.

Common Misconceptions About Entropy

Special Characters Automatically Make Passwords Strong

Not necessarily.

Length and unpredictability matter more than symbols alone.

Complex Passwords Are Always Better

A longer random passphrase may provide greater security than a short complex password.

Entropy Measures Real Security Perfectly

Entropy estimates possible combinations.

Human behaviour often reduces actual security.

Entropy Is Only About Length

Length helps significantly, but randomness is equally important.

Predictable long passwords can still be weak.

Conclusion

Password entropy measures how unpredictable a password is and how difficult it would be to guess through brute force.

Higher entropy means more possible combinations and greater resistance to password cracking. Every additional bit doubles the number of possibilities an attacker must consider.

While entropy provides a useful way to compare password strength, it is only part of the picture. Human-generated passwords often contain predictable patterns that reduce real-world security, even when calculators assign high scores.

For most users, the best approach is simple: use a password manager, generate long random passwords, enable multi-factor authentication, and avoid relying on memorable patterns. Those practices provide far more protection than chasing a specific entropy number alone.