With Graphics Processing Units (GPUs) becoming faster and more reasonably priced, it’s becoming important to understand what password entropy is and how it is calculated.

Password entropy is defined as a password’s randomness, in regards to how difficult it would be to crack. We calculate password entropy by first looking at the pool of characters a password is made from. For example, the password *thisisapassword* would have a possible pool of 26 characters from the English alphabet. Changing the password to *ThisIsAPassword* would increase your pool to 52 characters. I made a table below to outline the rest.

Type |
Pool of Characters Possible |

Lowercase |
26 |

Lower & Upper Case |
52 |

Alphanumeric |
36 |

Alphanumeric & Upper Case |
62 |

Common ASCII Characters |
30 |

Diceware Words List |
7,776 |

English Dictionary Words |
171,000 |

Entropy is calculated by using the formula log2(x), where x is the pool of characters used in the password. So a password using lowercase characters would be represented as log2(26) ≈ 4.7 bits of entropy per character. So our previous example of *thisisapassword* would have an entropy value of ~70 bits (4.7 * 15 characters), assuming a brute-force algorithm. However, there is also another way of looking at that password. We could also think of it as log2(7776)*4 ≈ 51.69 bits of entropy, which makes it a much easier password to guess – it would only take 15 days instead of 19 millennia!

On a final mathematical note, to calculate out the number of possible combinations using your calculated entropy value you would use 2^x, x being the number of bits of entropy. While a password with 40-50 bits of entropy may be semi-safe now, it is only a matter of time until GPUs become more powerful, and password cracking takes less time!

### Like this:

Like Loading...

*Related*