Password Entropy

Password entropy is a way to estimate how many guesses an attacker may need if a password was generated randomly from a known set of possibilities. More entropy generally means a harder brute-force target.

How entropy is estimated

For a random password, a simple estimate is log2(character pool ^ length). A 20-character password from a large character pool has far more possible combinations than a short word with a number at the end.

Entropy is not the whole story

Entropy estimates are most useful for random values. Human-made passwords often contain predictable patterns, names, dates, keyboard paths, substitutions, and reused words, so their real-world strength can be much lower than a simple formula suggests.

Practical takeaway

• Increase length before obsessing over special characters.
• Use random generation instead of personal patterns.
• Keep every important password unique.
• Use multi-factor authentication for high-value accounts.