entropy

Password Entropy

You can estimate the strength of a password with the following formula, where N is the number of possible characters from which you're drawing your password, and L is the length of the password.

$$E = log_2(N^L)$$

Security is all about trade-offs between the value of whatever you are protecting, and the effort required to defeat the security measures. There are tools available that will allow you to automate cracking a password, whether that's by brute-force, a dictionary-based attack, or a combination of the two.

It's generally desirable to have an entropy value greater than 100. At that point, it will either take an incredibly powerful supercomputer to break the password, or else it will take an inordinate amount of time.

Examples

WEAK EXAMPLE

kwrzuubl

Assuming all lowercase letters, N would be 26, and for an 8-character password, L would be 8.

$$log_2(N^L) \Rightarrow log_2(26^8) \Rightarrow log_2(208,827,064,576) \Rightarrow 37.603518$$

STRONG EXAMPLE

8hYOXgERzBCCC8MkqBip

Assuming all uppercase and lowercase letters, as well as digits 0-9, N would be 62, and for a 20-character password, L would be 20...

$$log_2(N^L) \Rightarrow log_2(62^20) \Rightarrow log_2(704,423,425,546,997,948,163,318,836,497,481,728) \Rightarrow 119.083926$$

INSANELY STRONG

6u?Gs6q9z,3ehqX7g1Og4P8mJ@pd.dmW

Assume all uppercase and lowercase Roman letters, as well as digits 0-9, and the symbols !, #, %, +, :, =, ?, @, ,, and ., then N = 72, and L = 32...

$$log_2(N^L) \Rightarrow log_2(72^32) \Rightarrow log_2(2.7204445974 \cdot 10^{59}) \Rightarrow 197.4376000462$$