What Is Entropy?
In information theory, entropy measures unpredictability. A password with high entropy has many possible values — making it hard to guess. A password with low entropy follows patterns that attackers can exploit.
Password entropy is measured in bits. Each bit doubles the number of possible passwords an attacker must try.
The Formula
Entropy (bits) = log₂(charset_size) × password_length
Where charset_size is the number of unique characters the password could use.
| Charset | Size |
| Lowercase only (a–z) | 26 |
| + Uppercase (A–Z) | 52 |
| + Digits (0–9) | 62 |
| + Common symbols | ~94 |
Entropy by Password Type
| Password | Charset | Length | Entropy |
password | 26 (lowercase) | 8 | 37.6 bits |
P@ssw0rd! | 94 | 9 | 59.2 bits |
| Random 12-char mixed | 94 | 12 | 78.9 bits |
| Random 20-char mixed | 94 | 20 | 131.5 bits |
| 6-word passphrase | 7,776 (word list) | 6 words | 77.5 bits |
How Many Bits Do You Actually Need?
This depends on what's attacking you:
- Online attack (web login, rate-limited): 40+ bits is sufficient. Lockouts and rate limits make brute force impractical.
- Offline attack (stolen hash, fast GPU): You need 80+ bits. Modern rigs crack billions of hashes per second.
- Critical accounts (email, banking, password manager): 100+ bits. These are highest-value targets.
Why "Complex" Short Passwords Are Worse Than Long Simple Ones
P@ss1! (6 chars, full charset, 94 symbols): 39.5 bits
correcthorsebatterystaple (25 chars, lowercase only): 117 bitsComplexity requirements that force short "complex" passwords are actively harmful. Length wins.
The Practical Takeaway
- Use a password generator with a full charset (94 characters)
- Set minimum length to 20 characters for managed passwords
- Set minimum length to 6 words for memorized passphrases
- Use the entropy readout in ToolForge's Password Generator to verify — aim for 100+ bits on anything important