Password Entropy
</>
 
Password Entropy
Deutsch English

- Bits (if somebody watched)
or else - Bits maximum

- (if somebody watched)
or else - maximum

All information is given without warranty.

A word on password strength

The strength of a password can be measured in entropy or "possibilities to try" (for a brute force attacker).

E = C^L

E is the entropy of the password, C being the number of different characters the password is made of and L being the length of the password. The entropy is usually expressed logarithmic to the base of two (each Bit doubles the possibilities).

S = E * T

S is the time it takes to try all possibilities (on average a password is found after trying half the possibilities), E being the number of possible character combinations or entropy and T the time it takes to try one password. The time is depending on the hash algorithm used and the hash rate of the hardware.

For example take a tree character password with just lower case letters like "abc".
The number of lower case letters is 26, so a three character password leads to 26 * 26 * 26 = 17 576 (or 14,1 Bits) possibilities to try.

Now take a three character password which also includes upper case letters like "aBc".
The number of possibilities per character doubles to 52, so the three character password leads to 52 * 52 * 52 = 140 608 (or 17,1 Bits) possibilities. So compared to "abc" we got eight times more entropy in this case.

So what happens if we add one character and still only use lower case letters, like "abcd"?
It's 26^4 = 456 976 (or 18,8 Bits) with a four character password, that's 26 times more entropy compared to only using three lower case characters.

It's easier to get higher entropy by increasing password size, than with adding more different characters or symbols. An attacker could also have watched (or heard) you type the password (paying attention to the use of the shift key, space bar or numeric keypad) and this way cross out character that you couldn't possibly have used.

So, to put it mildly: Every web page that forces you to use at least lower/upper case AND a number AND a symbol, BUT only forces you to use eight characters of password size is not steering you to the right measures to gain entropy.