How to calculate password entropy.

With Graphics Processing Units (GPUs) becoming faster and more reasonably priced, it’s becoming important to understand what password entropy is and how it is calculated.

Password entropy is defined as a password’s randomness, in regards to how difficult it would be to crack.  We calculate password entropy by first looking at the pool of characters a password is made from. For example, the password thisisapassword would have a possible pool of 26 characters from the English alphabet. Changing the password to ThisIsAPassword would increase your pool to 52 characters. I made a table below to outline the rest.

Type Pool of Characters Possible
Lowercase 26
Lower & Upper Case 52
Alphanumeric 36
Alphanumeric & Upper Case 62
Common ASCII Characters 30
Diceware Words List 7,776
English Dictionary Words 171,000

Entropy is calculated by using the formula log2(x), where x is the pool of characters used in the password. So a password using lowercase characters would be represented as log2(26) ≈ 4.7 bits of entropy per character.  So our previous example of thisisapassword would have an entropy value of ~70 bits (4.7 * 15 characters), assuming a brute-force algorithm. However, there is also another way of looking at that password. We could also think of it as log2(7776)*4 ≈ 51.69 bits of entropy, which makes it a much easier password to guess – it would only take 15 days instead of 19 millennia!

On a final mathematical note, to calculate out the number of possible combinations using your calculated entropy value you would use 2^x, x being the number of bits of entropy. While a password with 40-50 bits of entropy may be semi-safe now, it is only a matter of time until GPUs become more powerful, and password cracking takes less time!

About these ads