With Graphics Processing Units (GPUs) becoming faster and more reasonably priced, it’s becoming important to understand what password entropy is and how it is calculated.
Password entropy is defined as a password’s randomness, in regards to how difficult it would be to crack. We calculate password entropy by first looking at the pool of characters a password is made from. For example, the password thisisapassword would have a possible pool of 26 characters from the English alphabet. Changing the password to ThisIsAPassword would increase your pool to 52 characters. I made a table below to outline the rest.
Type | Pool of Characters Possible |
Lowercase | 26 |
Lower & Upper Case | 52 |
Alphanumeric | 36 |
Alphanumeric & Upper Case | 62 |
Common ASCII Characters | 30 |
Diceware Words List | 7,776 |
English Dictionary Words | 171,000 |
Entropy is calculated by using the formula log2(x), where x is the pool of characters used in the password. So a password using lowercase characters would be represented as log2(26) ≈ 4.7 bits of entropy per character. So our previous example of thisisapassword would have an entropy value of ~70 bits (4.7 * 15 characters), assuming a brute-force algorithm. However, there is also another way of looking at that password. We could also think of it as log2(7776)*4 ≈ 51.69 bits of entropy, which makes it a much easier password to guess – it would only take 15 days instead of 19 millennia!
On a final mathematical note, to calculate out the number of possible combinations using your calculated entropy value you would use 2^x, x being the number of bits of entropy. While a password with 40-50 bits of entropy may be semi-safe now, it is only a matter of time until GPUs become more powerful, and password cracking takes less time!