Security guide

Password Entropy and How Cracking Works

Entropy is a measure of how unpredictable a password is, giving a sense of how hard it is to attack.

What entropy is

Entropy expresses the number of possible passwords on a base-2 logarithmic scale (bits). For example, 40 bits means about a trillion possibilities, and 60 bits about a quintillion.

Entropy is calculated roughly as 'length × log2(character-pool size)'. Increasing the length is the most reliable way to raise entropy.

Brute force vs. dictionary attacks

Brute force tries every possible combination in turn, so the higher the entropy, the more impractically long it takes.

A dictionary attack tries common passwords, words and leaked lists first. That's why even a very long password falls in an instant if it's a common word or pattern. This is why randomness matters.

Hashes and breaches

Well-built sites store passwords as hashes rather than plain text. But if the data leaks, attackers can make billions of guesses per second offline.

In that case, a long, random password makes cracking prohibitively expensive and is effectively safe.

How strong is strong enough

A practical rule of thumb is as follows.

  • Under 28 bits: very weak (cracked instantly)
  • 40–60 bits: fair (unimportant accounts)
  • 60–100 bits: strong (enough for most accounts)
  • Over 100 bits: very strong (long-term security)
Back to guides