Calculating Password Entropy

• Home
• Meet Mr. P
• What's New
• Humor
• Quotes
• Links
• Puzzles & Games
• Poetry
• Algebra Lesson Plans
• Printer Version
• Answer Key

Password entropy is a measurement of how unpredictable a password is.
The formula for entropy is:



E stands for "entropy," which is the opposite of an ordered pattern.   Entropy is good: the bigger the E, the harder a password is to crack.

---

We calculate password entropy by first looking at the pool of characters a password is made from.
For example, the password password would have a possible pool of 26 characters from the English alphabet.
Changing the password to Password would increase your pool to 52 characters. I made a table below to outline the rest.

Type	                Pool of Characters Possible
Lowercase                            26
Lower & Upper Case                   52
Alphanumeric                         36
Alphanumeric & Upper Case            62
Common ASCII Characters              30
Diceware Words List               7,776
English Dictionary Words        171,000

---

Password strength is determined with this chart:
< 28 bits = Very Weak; might keep out family members
28 - 35 bits = Weak; should keep out most people, often good for desktop login passwords
36 - 59 bits = Reasonable; fairly secure passwords for network and company passwords
60 - 127 bits = Strong; can be good for guarding financial information
128+ bits = Very Strong; often overkill

While a password with 40-50 bits of entropy may be semi-safe now, it is only a matter of time until GPUs become more powerful, and password cracking takes less time!

---

Here is an example:

If your keyboard has 95 unique characters and you are randomly constructing a password from that whole set, then R = 95.
If you have a 12-character password, then L = 12.
The number R to the L power is 540,360,087,662,636,962,890,625 -- which is how many passwords you have.
That's the same as 2^78.9 -- and the log₂ of that is 78.9.   In info-security lingo, it's 78.9 bits of entropy.   That approaches the "exponential wall," where a password could take ages to crack.

---

1 - 10   Now calculate password entropy for the following passwords:

__________ 1. password
                        R = 26 since its pool of characters is just the 26 lower case letters and L = 8 (the length)

__________ 2. Password

__________ 3. qwerty

__________ 4. abc123

__________ 5. MrP*MathPage
                        R = 82 since it uses upper and lower case and ASCII characters

__________ 6. 123456

__________ 7. starwars

__________ 8. baseball

__________ 9. P33e=7a*E6m

__________ 10. Q77a&-2kB4R2

__________ 11. If the password entropy of an eight character password is 34.9 bits,
                        what is the pool of characters?

__________ 12. If the password entropy of a twelve character password is 55.7 bits,
                        what is the pool of characters?

---

Click here for a Password Strength Test Checker
Note that when entering common passwords or passwords with sequential digits or letters or passwords with common words, the entropy will be lower than that calculated with the formula above.

Click here for more details about Password Entropy