Entropy: The Measure of Chaos
In cybersecurity, we throw around the word "strong" to describe passwords. But "strong" is vague. A 50-pound weight is strong to a child but light to a bodybuilder. We need a scientific measurement. That measurement is Entropy.
Entropy, in information theory, measures the amount of uncertainty or "surprise" in a piece of data. It is measured in bits. The higher the bits of entropy, the harder it is for an attacker to guess the password.
Calculating Password Entropy
The formula for entropy is:
E = L * log2(R)
Where:
- L is the length of the password (number of characters).
- R is the size of the pool of possible characters (the "search space").
Scenario A: The "Pin Code"
Password: "1234"
Length (L): 4
Pool (R): 10 (digits 0-9)
Entropy: 4 * log2(10) ≈ 13.2 bits
13 bits is incredibly weak. An attacker can guess this instantly.
Scenario B: The "Complex" Short Password
Password: "J4#m"
Length (L): 4
Pool (R): 94 (uppercase + lowercase + numbers + symbols)
Entropy: 4 * log2(94) ≈ 26.2 bits
Even though it looks "complex" with symbols, it is still weak because it is short.
Scenario C: The "Long" Lowercase Password
Password: "correcthorsebatterystaple" (25 chars)
Length (L): 25
Pool (R): 26 (lowercase only)
Entropy: 25 * log2(26) ≈ 117.5 bits
This is massive. Every bit of entropy doubles the difficulty. 117 bits is not just twice as strong as 26 bits; it is 2^91 times stronger. That is a number with 27 zeros.
Why Humans Fail at Entropy
When you ask a human to "pick a random number," they usually pick 7 or 3. When you ask them to create a password, they pick something related to their life (dog's name, birthday, favorite team). This has near-zero entropy because the attacker knows these things too (via social engineering or Facebook).
True entropy must come from a source outside your brain.
- Computer Randomness (CSPRNG): Cryptographically Secure Pseudo-Random Number Generators use atmospheric noise or hardware interrupts to generate noise.
- Physical Randomness: Dice rolls, coin flips, or mouse movements.
A good Password Generator Tool uses the browser's `crypto.getRandomValues()` API to source high-quality entropy. It does not use `Math.random()`, which is predictable.
How Much Entropy Do You Need?
< 28 bits: Very Weak. Crackable instantly.
28 - 35 bits: Weak. Crackable in seconds.
36 - 59 bits: Reasonable. Safe for low-value accounts, crackable by dedicated clusters.
60 - 127 bits: Strong. Safe for banking/email. Uncrackable by standard hardware.
128+ bits: Overkill. Safe against quantum computers (probably).
A standard 12-character password (letters, numbers, symbols) has about 72 bits of entropy. That is the sweet spot for most users.
The "Search Space" Fallacy
Entropy assumes the attacker is brute-forcing randomly. But attackers are smart. If they know your password is "Word1 + Word2 + Number", the search space shrinks drastically.
This is why Diceware (random words) works. If the words are truly random, the attacker has to guess from a list of 7,776 words for each slot.
Entropy of a 5-word Diceware phrase:
5 * log2(7776) ≈ 64.6 bits.
This confirms that 5 random words are roughly as strong as a complex 10-character random string, but infinitely easier to type.
Conclusion
Don't guess your password strength. Calculate it (or let a tool do it). Stop relying on "feeling" secure. Math doesn't care about your feelings; it cares about bits. Use a generator to ensure you are getting the raw mathematical chaos needed to keep the bad guys out.