There was a time, just a couple of decades ago, when sensitive data about you was pretty hard to find.
Now, of course, we live our lives online, and our sensitive information – and more – is frequently stored by the apps and websites we use. The companies protect that data, in part, by asking us to identify ourselves through passwords when we log in. That means choosing, and remembering, a whole lot of strong, safe passwords. There are lots of rules for creating those passwords, but how do you know whether your password is really tough to crack? Well, there’s an actual measure for that called “password entropy,” that can tell you. Here’s how it works, and how to check a password’s strength for yourself.
What is Password Entropy?
The concept of entropy is borrowed from the world of physics. A German physicist named Rudolf Clausius coined the term in 1850, as a measure of the degree of randomness or uncertainty in a system. Randomness is bad in some contexts, like management decisions or your kitchen cupboards, but in the case of passwords, it’s essential. Randomness is what makes a password hard to guess, by other humans or (more importantly) by computers.
Who's Calling Me?
Search any phone number to learn more about the owner!
So, what affects the randomness, and therefore the degree of entropy, in a system? There are factors that increase a password’s entropy, and others that reduce it. The next few paragraphs are a simplification, perhaps an oversimplification, but they’re enough to give you a working understanding of the principles involved. First, we have factors that increase entropy. Those include:
Password Length
Password length is the biggest single factor that contributes to entropy, and therefore to password strength. Suppose you’re using a 6-letter password, drawn from the lower-case letters from a to z. That gives 230,230 possible combinations (there’s a formula for this, but you can just use an online calculator to see for yourself). Increasing to just 8 letters increases that number to over 1.5 million, and 10 letters takes you to over 5.3 million. Your four-digit bank PIN, on the other hand, yields a trivial 256 possibilities.
The Character Set
That brings us to another main factor, the number of possible characters in use. Your bank PIN uses the numerals from 0 to 9, for a total of 10. The lower-case alphabet gives you 26 possibilities, and the upper-case alphabet adds another 26. The set of special characters that’s usually available to use in passwords adds another 30. That gives us a total of 92 possible characters (10+26+26+30). Now, let’s go back to our calculator.
If you take an 8-character password from just the 10 numerals, there are only 45 possible combinations. If you choose that same 8-character password from all 92 of the available characters, now there are over 93 billion possible combinations! That’s why so many passwords now require you to use uppercase and lowercase letters, numerals, and special characters.
On the opposite side of the ledger, there are factors that reduce password entropy. Unfortunately, they’re exactly the things that make passwords easier for humans to use. Some of the most important include:
Already-Known Passwords
Potential hackers already have a pool of hundreds of millions of known passwords at their disposal. They’re the cumulative total of all the data breaches we’ve seen to date, and you can probably remember lots of headlines about those even if you aren’t a regular reader of this blog. People tend to reuse their passwords across multiple sites, and to make many of the same obvious choices when creating one; that’s why you’ll see lists of “worst” or “most common” passwords every year.
Easily Guessable Words and Phrases
This is almost, but not quite, the same. In addition to those “known-to-be-bad” passwords, we tend to make a lot of choices that are equally easy for hackers to decipher. That includes joining the word “password” itself with the name of the service (resulting in passwords like paypalpassword or spotifypassword), or using combinations of the names of your kids, parents, or pets. Those are specific to you, at least to some extent (you’re probably not the only Jennifer or Jose to be born in the same year, or have a dog named Rex). Any attacker who can see your social media accounts can guess those pretty easily.
How to Calculate Password Entropy
Buckle up, we’ve got math incoming! Don’t worry, there are online password entropy calculators available for this too, but first, we’ll make our former math teachers happy and show our work. Fittingly, we’ll draw on explanations from an award-winning former math teacher.
The equation itself looks like this: E = log2(RL). In this equation E stands for Entropy, L is the length of your password, and R is the range of possible characters to choose from. So the RL in parentheses means your number of characters, to the power of the length of your password, which is the maximum possible number of combinations. The log2 part means (deep breath) “how many 2s you need to multiply to get the number in parentheses.”
Let’s pick an easy example to start with. Suppose your PIN is any 2 of 4 possible numbers. In this case (RL) is 42, or 4×4, which is 16 possible combinations. The log2 value of 16 is 4, because it’s 2x2x2x2 (four 2s). Entropy is measured in “bits,” so the entropy of this particular password is just 4 bits. That’s laughably weak, of course, so let’s look at an 8-letter password drawn from the 26 letters of the lowercase alphabet. Those 26 letters to the 8th power give us 208,827,064,576 total possibilities. The log2 of 208,827,064,576 is 37.6 bits of entropy, which is a big improvement.
Online security vendor Okta suggests aiming for passwords with 60 bits of entropy or better, and our retired math teacher also considers 60 bits or higher to be adequate for banking or other sensitive information. So let’s try again, with a 10-letter password drawing on all 92 of the commonly-available characters. That gives us 43,438,845,422,363,213,824 possibilities, and 65.24 bits of entropy. Bingo!
Real-world Password Entropy Depends on More than Math
Unfortunately, password entropy in any real-world sense depends on more than just the math. In fact, the underlying math is the easy part. Why? Well, let’s suppose the password for your Amazon account was “AmAz0nP@ssword!”. That’s 15 characters, and it includes upper- and lower-case letters, numerals, and a special character. That’s good, right? Sadly it’s not, because – as we’ve already mentioned – it’s made up of easily guessable words, with highly predictable substitutions. It would look solid based on the math, but for practical purposes, its entropy is quite low. Remember, it’s a measure of randomness and unpredictability.
This raises some fine points that aren’t immediately obvious. One is that the math is only straightforward when all of the characters in your password are genuinely random (the kind you’d get if they’re generated by a password management app with a strong algorithm). It works differently if, say, six of those letters form a recognizable word, like Amazon, or even just a dictionary word. Those are easily guessed, and hackers can use what’s called a “dictionary attack” to guess them, so they may actually reduce the security of your password.
So, are you better off using phrases of real words, or a jumble of random characters? The answer is “it depends.” Some random-character generators use well-known algorithms, which generate predictable outcomes that hackers can exploit. Yet, some combinations of words (a passphrase) can be harder for computers to guess than you’d think. That’s why there are so many techniques for creating stronger passwords, some of which (good news!) even make them easier for humans.
How to Check Your Passwords for Strength and Safety
The theories behind those techniques are hard for experts to agree on, let alone for a layperson to grasp. If you’re curious enough to take a quick look at some of the headache-inducing arguments involved, check out this explainer by the creators of one password-entropy calculator, or the debate around a popular XKCD webcomic on the subject of password strength.
Rather than trying to master the underlying logic or technology (which is a graduate-level topic in itself), it’s easier to do a few quick, simple tests.
- Review that list of “most common passwords” we spoke of, and check whether any of your passwords are on it.
- Check whether your passwords include any of the easily guessed words that compromise security: your name, your kids’ names, the name of the site you’re logging into, your favorite sports team, the actual word “password,” and so on.
- Go to a site called “Have I Been Pwned?” and enter in the handful of passwords you normally use, one at a time. This site maintains a database of passwords known to be compromised in various hacks and data breaches.
If your current passwords fail any of those three tests, you should change them immediately (we’ll circle back to this in a moment). If your passwords are good up to this point, pick any three password entropy calculators that come up for you in a search (Spokeo doesn’t endorse or recommend any specific calculator). Enter your current passwords and see how each calculator rates them for entropy. If they’re all rated at 60 bits or higher, great! Otherwise, they may need work.
Why three different calculators? Because, as we mentioned a moment ago, even experts in the field differ on how the various criteria should be applied. Still, if three separate calculators all agree that you have a strong password, you probably do.
Creating High-Entropy Passwords
We’ve written before about techniques you can use to create strong passwords, and if you revisit that article now you’ll see how those suggestions create high levels of entropy. Another option is to pick out a well-respected password-generation app, or a password management app that includes password generation among its features. Whether you prefer to “roll your own” or have the app do it for you, it’s a good idea to run them through an entropy calculator – just to be sure – before you use them.
It’s also a good idea to have unique passwords for every single site or app you use. Unfortunately, that requirement puts an unrealistic strain on even the best memory, so for most of us it’s only practical with a password management app. Pick one which can be used (and synced) across all of your devices, and that has lots of good reviews from independent third-party sources. Once it’s set up, you’ll only ever have one password to remember, and almost anybody can manage that!
Final Thoughts
Passwords will eventually go away, because even the most secure passwords can be compromised through phishing attacks and human error. New ways of securing your accounts will inevitably replace them, and one such technology – passkeys – is already rolling out, with support from tech heavyweights like Google and Apple. Until those improved technologies take over, passwords will remain your accounts’ first line of defense. Mastering the art of the high-entropy password makes them a lot more effective.
And, if that proves too daunting, you should at least use Spokeo and its people search tools to see what information you have put out on your social media accounts (including old ones you may have forgotten) that cybercriminals might be using to guess your passwords.
Fred Decker is a prolific freelance writer based in Atlantic Canada, with articles appearing in print and online since 2007. He writes primarily on technology, personal finance, and food and foodservice, drawing on previous careers in those industries. He was educated at Memorial University of Newfoundland, Nova Scotia Community College, and the Northern Alberta Institute of Technology.
Sources
Britannica: Entropy
Calculator Soup: Combinations Calculator (nCr)
NordPass: Top 200 Most Common Passwords (2023)
Omni Calculator: Password Entropy Calculator
Pleacher.com: Calculating Password Entropy
Okta: Password Entropy: The Value of Unpredictable Passwords
Pleacher.com: Password Entropy
CSOOnline: What Is a Dictionary Attack? And How You can Easily Stop Them
Github/tests-always-included/password-strength: Entropy Score Seems Wrong
“XKCD Explained” Wiki: 936 Password Strength