What Is Password Entropy? (And Why It Matters)

Password entropy is the single most useful concept for understanding password strength. It is a number that measures how *unpredictable* a password is — and unpredictability is exactly what makes a password hard to guess. Once you understand entropy, all the usual advice about length and randomness clicks into place.

What entropy means

In everyday terms, entropy is a measure of uncertainty. A password's entropy estimates how many guesses an attacker would need to find it. It is measured in bits, and each additional bit *doubles* the number of possible passwords. So a password with 40 bits of entropy is twice as hard to guess as one with 39 bits, and a password with 60 bits is over a million times harder than one with 40.

Higher entropy means more unpredictability means more guesses required means a stronger password. That is the whole idea.

How entropy is calculated

For a password drawn randomly from a set of possible characters, entropy depends on two things:

• The size of the character pool (how many different characters could appear).
• The length (how many characters there are).

The formula is: entropy in bits equals the length multiplied by the logarithm (base 2) of the pool size. You do not need to do the math by hand — our password entropy calculator does it for you — but the relationship reveals something important.

Because length multiplies the entropy, adding characters increases strength dramatically. Increasing the character pool (adding symbols and numbers) helps too, but only adds a fixed amount per character. This is the mathematical reason length beats complexity. See how long should a password be.

A crucial catch: randomness

Entropy calculations assume the password is chosen *randomly*. This is the catch that trips people up. If you pick "Password123!" the raw formula might suggest decent entropy, but the *real* entropy is far lower, because that password is predictable — it follows a common pattern attackers test first. Entropy only reflects strength when the choice is genuinely random.

This is why a randomly generated password or passphrase is strong, while a human-chosen one of the same length may be weak. People are predictable; randomness is not. See how hackers crack passwords.

Passphrases and entropy

A passphrase of random words has entropy too: each word contributes roughly the logarithm (base 2) of the wordlist size. A word chosen randomly from a list of about 2,000 words adds around 11 bits. Six such words give roughly 66 bits — strong, and far more memorable than a random character string of equivalent strength. This is why passphrases are such a good deal. See password vs passphrase.

What's a good entropy target?

As rough guidance:

• Below 40 bits: weak; crackable quickly.
• Around 60 bits: reasonable for many accounts.
• 80 bits or more: strong, suitable for important accounts and master passwords.

Aim higher for anything that protects other things, like your master password.

Putting it to use

You do not need to calculate entropy for every password — you need a tool that produces high-entropy passwords automatically. A password manager generates long, random passwords with plenty of entropy, and stores them so you never memorize them. On a Mac, Passlock generates and keeps such passwords offline in the Keychain. Use the secure password generator to create high-entropy passwords, and the password entropy calculator to see the numbers for yourself.

Entropy is the math behind "strong." Maximize it with length and genuine randomness, and you have a password that resists guessing for practical eternity.