What Is Password Entropy and How to Use It for Your Own Benefit
Years ago, security experts realized that left to their own devices, users won't choose strong passwords. They saw that we actively need to encourage people to protect their accounts better. This, more or less, is why we now have password strength meters on pretty much every sign-up form. The thing is, a working strength meter needs to base its assessment on some sort of reasonably reliable factors, and not just on an arbitrary judgment. One such factor is the password's entropy.
Table of Contents
What is password entropy?
Traditionally connected to thermodynamics, the word "entropy" comes from the Greek "entropia" which means "a turning toward". In the context of passwords, it is used as a measurement of how random a password is. The higher the entropy of a password, the harder it is to brute-force. It's measured in bits, and there's a mathematical formula for calculating it.
E = log2(R) * L
E stands for entropy. R is the number of available characters. L is the length of the password. You can also get the entropy of the password by first calculating the number of available characters (R) to the power of the number of characters in the password (L), and then calculating the binary logarithm (log2) of the result (E = log2(RL)). Let's see how it works in action.
Creating passwords with higher entropy
Let's say you have a password that is six characters long and consists of only lowercase letters, e.g., "puzzle". The range of available characters is 26 meaning that log2(R) sits at just over 4.7. Multiply that by 6 (the password's length), and you get the entropy which is 28.2 bits.
Let's swap "puzzle" for "puzzLe". This time we have an uppercase letter which means that the number of available characters goes up to 52 (26 lowercase letters and 26 uppercase letters). The binary logarithm of 52 is 5.7, and the entropy goes up to 34.2 bits.
We'll now replace a couple of letters with a number and a special character – "pu>zL3". If we collect all the letters of the English alphabet (both lowercase and uppercase), add the numbers, and include the so-called special symbols that are most commonly found in passwords, we end up with 94 possible characters. The binary logarithm of 94 is about 6.6 meaning that the entropy of a password like "pu>zL3" is 39.6 bits.
What makes entropy a good way of estimating a password’s strength
You can see that entropy is an illustrative (if slightly geeky) way of demonstrating how the addition of a wider variety of characters impacts the strength of a password. It also shows, however, that length is just as important.
If you take "pu>zL3", add a few symbols at the beginning and put a couple more at the back, you'll end up with something like ")g^pu>zL3/9". You still have the same variety of possible characters, but the password is now 11 characters long which means that the entropy sits at 72.6 bits – a massive improvement.
Entropy is a good way of judging how difficult it would be to brute-force a password. A high entropy doesn't (and will never) mean an invincible password, though.
High-entropy is not enough
Most people would agree that ")g^pu>zL3/9" is a reasonably strong password. In much the same way, most people would agree that "P@ssword123" is a horrific password. As far as entropy is concerned, however, they're identical. We still have a password that is eleven-characters long, it still has a capital letter, a symbol, and some numbers. Use the formula, and you'll end up with the same result – 72.6 bits. Open any password dictionary, however, and you'll find "P@ssword123" very near the top, and if you go to Troy Hunt's HaveIBeenPwned service, you'll see that it's been compromised at least 1,022 times.
Entropy, on its own, should never be relied upon to tell us whether or not we should use a particular password. We have to bear in mind other things like whether the password is used on another website, for example, and whether or not it might have been stolen during a data breach of an online service.
To help you take all these things into consideration, we included a special Password Analyzer in our Cyclonis Password Manager. In addition to using a complex algorithm (based on Dropbox's zxcvbn) to check the strength of a password, it monitors its age, compares it to the rest of your login data to ensure that you haven't reused it, and warns you if it might have been compromised. Based on all this information, the Password Analyzer calculates your Total Strength Score – a visual representation of the overall resilience of your passwords not just against brute-force attempts, but against other attacks as well. With the built-in password generator, you'll also be able to create unique, high-entropy passwords for all your accounts at the click of a button. To learn more about how it all works, click here.