Skip to main content
Back to blog

Is Your Password Secure? The Math Behind Entropy

securitypasswordscryptography

Is Your Password Secure? The Math Behind Entropy

"Use uppercase, lowercase, numbers, and symbols." You've heard this advice a thousand times. But why? And does adding an exclamation point to the end of your password actually make it meaningfully harder to crack? The answer lies in entropy — a concept from information theory that gives us a concrete way to measure password strength.

What entropy means for passwords

In the context of passwords, entropy measures the number of possible passwords an attacker would need to try, expressed as a power of 2. A password with 40 bits of entropy means there are 2^40 (roughly one trillion) possible passwords in its space. A password with 80 bits of entropy means 2^80 possibilities — about a billion trillion times more.

The formula is simple:

Entropy (bits) = length × log₂(charset size)

The charset size is the number of possible characters at each position. If your password only uses lowercase letters, the charset is 26. Add uppercase and it's 52. Add digits and it's 62. Add common symbols (say, 32 of them) and it's 94.

Let's work through an example. The password dolphin is 7 characters, all lowercase:

Entropy = 7 × log₂(26) = 7 × 4.70 = 32.9 bits

That's about 2^33 ≈ 8.6 billion possibilities. Sounds like a lot, but modern hardware can test billions of passwords per second.

Now consider D0lph!n# — 8 characters using uppercase, lowercase, digits, and symbols (charset ≈ 94):

Entropy = 8 × log₂(94) = 8 × 6.55 = 52.4 bits

That's 2^52 ≈ 4.5 quadrillion possibilities. Better, but still crackable with serious hardware and time.

Why length beats complexity

Here's the thing that the "add symbols" advice misses: adding one character to a password increases entropy more than expanding the charset.

Compare:

  • password (8 chars, lowercase only): 8 × 4.70 = 37.6 bits
  • p@ssw0rd (8 chars, full charset): 8 × 6.55 = 52.4 bits
  • passwordpassword (16 chars, lowercase only): 16 × 4.70 = 75.2 bits

The 16-character lowercase password has more entropy than the 8-character "complex" one — by a factor of 2^23 (about 8 million times harder to brute-force). Length wins because each additional character multiplies the search space by the entire charset size, while expanding the charset only adds a logarithmic factor.

This is the mathematical basis for the NIST recommendation (SP 800-63B) that shifted guidance from "require complexity" to "encourage length." A long, memorable passphrase like correct horse battery staple (28 characters of lowercase + spaces) has roughly 28 × log₂(27) ≈ 133 bits of entropy — vastly stronger than P@$$w0rd! at 59 bits.

What "estimated crack time" actually assumes

When a tool tells you a password would take "3 years to crack," it's making specific assumptions about the attack scenario. The three common scenarios are:

Offline fast hash (10 billion guesses/second)

This models an attacker who has stolen a database of password hashes using a weak algorithm like MD5 or SHA-1 (unsalted). Modern GPUs running tools like Hashcat can test on the order of 10 billion MD5 hashes per second. At this rate:

  • 40 bits of entropy: ~110 seconds
  • 50 bits of entropy: ~31 hours
  • 60 bits of entropy: ~3.6 years
  • 80 bits of entropy: ~3.8 million years

Online throttled (100 guesses/second)

This models an attacker trying passwords against a login form that rate-limits attempts. At 100 guesses per second:

  • 40 bits of entropy: ~348 years
  • 30 bits of entropy: ~124 days

Online attacks are much slower, but most services lock accounts or add CAPTCHAs after a handful of failed attempts, making even this scenario generous to the attacker.

Government-grade (1 trillion guesses/second)

This models a state-level adversary with specialized hardware (ASICs, large GPU clusters). At 10^12 guesses per second:

  • 60 bits of entropy: ~13 days
  • 80 bits of entropy: ~38,000 years
  • 100 bits of entropy: ~40 billion years

You can check your own password's entropy and estimated crack times with our password security checker. Everything runs in your browser — the password is never sent anywhere.

The entropy formula has a catch

The formula length × log₂(charset) assumes that every character is chosen uniformly at random from the full charset. Real human-chosen passwords violate this assumption constantly. People pick dictionary words, append predictable numbers, capitalize the first letter, and put the symbol at the end. An attacker who knows these patterns doesn't need to search the full space.

The password Summer2024! uses the full 94-character charset and is 11 characters long, which gives a theoretical entropy of 72 bits. But an attacker running a dictionary attack with common patterns (word + year + symbol) would find it in seconds. The effective entropy is much lower than the theoretical maximum.

This is why password strength estimators worth using — like zxcvbn, developed by Dropbox — analyze the actual structure of your password instead of just counting charset categories. They detect dictionary words, common substitutions (a→@, e→3), keyboard patterns (qwerty, 1234), and date formats, then estimate entropy based on how the password would actually be attacked.

Rainbow tables and why salting defeats them

A rainbow table is a precomputed lookup table that maps common password hashes back to their plaintext. Instead of hashing every candidate password during an attack, the attacker builds the table once and then does instant lookups. Rainbow tables for MD5 and SHA-1 covering all passwords up to 8 characters exist and are freely downloadable.

Salting defeats rainbow tables completely. A salt is a random string appended to the password before hashing: hash(salt + password) instead of hash(password). Each user gets a unique salt, stored alongside the hash. Since the attacker can't precompute tables for every possible salt, they're forced back to brute-force — hashing each candidate password with each user's specific salt.

Modern password hashing algorithms — bcrypt, scrypt, and Argon2 — do more than salting. They're deliberately slow, using thousands of iterations and significant memory to compute a single hash. This makes brute-force attacks orders of magnitude more expensive. Argon2, the winner of the 2015 Password Hashing Competition, is designed to resist both GPU and ASIC acceleration.

If a service is using bcrypt with a cost factor of 12, an attacker might only manage a few thousand guesses per second per GPU, not billions. This dramatically shifts the crack time estimates:

  • 40 bits of entropy with bcrypt (cost 12, ~3,000 guesses/sec): ~11,000 years
  • 40 bits of entropy with unsalted MD5 (10B guesses/sec): ~110 seconds

The hashing algorithm matters as much as the password itself.

Passphrases vs. random strings

A random string like kX9#mQ2$vL is high-entropy but hard to remember. A passphrase like marble foxglove lantern orbit is also high-entropy — each word chosen from a list of, say, 7,776 words (as in Diceware) contributes log₂(7776) ≈ 12.9 bits of entropy. Four words give 51.7 bits; six words give 77.5 bits.

The passphrase advantage: you can actually remember it. The random string advantage: it's shorter, which matters for systems with length limits. For most purposes, a 4-6 word passphrase is the better choice because you'll actually use it without writing it down or pasting it from a notes app.

The best option, though, is a password manager generating unique random passwords for every account. You remember one strong master passphrase; the manager handles everything else. The math doesn't care whether you can remember xK#9qMz$vL2! — it just needs to be long and random.

Practical takeaways

Length over complexity. A 20-character lowercase passphrase beats an 8-character symbol-laden password every time.

Never reuse passwords. Entropy is irrelevant if the password leaked from another site. Credential stuffing attacks — trying leaked username/password pairs on other services — are the most common password attack vector, and no amount of entropy protects you from reuse.

The hash matters. Your 40-bit password is fine if the site uses bcrypt with a high cost factor. It's cracked in seconds if they stored it as unsalted MD5. You can't control this, but you can use a password manager so that a breach on one site doesn't compromise your other accounts.

Check your password's entropy and strength with our password security checker — everything runs locally in your browser, and nothing is ever transmitted.