Calculating Password Entropy



Password entropy is a measurement of how unpredictable a password is.
The formula for entropy is:



E stands for "entropy," which is the opposite of an ordered pattern.   Entropy is good: the bigger the E, the harder a password is to crack.

We calculate password entropy by first looking at the pool of characters a password is made from.
For example, the password password would have a possible pool of 26 characters from the English alphabet.
Changing the password to Password would increase your pool to 52 characters. I made a table below to outline the rest.
 
Type	  Pool of Characters Possible
Lowercase                      26
Lower & Upper Case             52
Alphanumeric                   36
Alphanumeric & Upper Case      62
Common ASCII Characters        30
Diceware Words List         7,776
English Dictionary Words  171,000
 

Password strength is determined with this chart:
< 28 bits = Very Weak; might keep out family members
28 - 35 bits = Weak; should keep out most people, often good for desktop login passwords
36 - 59 bits = Reasonable; fairly secure passwords for network and company passwords
60 - 127 bits = Strong; can be good for guarding financial information
128+ bits = Very Strong; often overkill

While a password with 40-50 bits of entropy may be semi-safe now, it is only a matter of time until GPUs become more powerful, and password cracking takes less time!


Here is an example:

If your keyboard has 95 unique characters and you are randomly constructing a password from that whole set, then R = 95.
If you have a 12-character password, then L = 12.
The number R to the L power is 540,360,087,662,636,962,890,625 -- which is how many passwords you have.
That's the same as 278.9 -- and the log2 of that is 78.9.   In info-security lingo, it's 78.9 bits of entropy.   That approaches the "exponential wall," where a password could take ages to crack.

1 - 10   Now calculate password entropy for the following passwords:

__________ 1. password
R = 26 since its pool of characters is just the 26 lower case letters and L = 8 (the length)

__________ 2. Password

__________ 3. qwerty

__________ 4. abc123

__________ 5. MrP*MathPage
R = 82 since it uses upper and lower case and ASCII characters

__________ 6. 123456

__________ 7. starwars

__________ 8. baseball

__________ 9. P33e=7a*E6m

__________ 10. Q77a&-2kB4R2

__________ 11. If the password entropy of an eight character password is 34.9 bits,
what is the pool of characters?

__________ 12. If the password entropy of a twelve character password is 55.7 bits,
what is the pool of characters?

Click here for a Password Strength Test Checker

Note that when entering common passwords or passwords with sequential digits or letters or passwords with common words, the entropy will be lower than that calculated with the formula above.

Click here for more details about Password Entropy


Send any comments or questions to: David Pleacher