Password Entropy Explained: What Password Strength in Bits Really Means

SP
Sreehari Pradeep
July 14, 20267 min read

If you've ever used a password manager or an online password generator, you've probably seen a message like "123 bits of entropy" or "98-bit password." At first glance, these numbers don't mean much. Is 80 bits good? Is 128 bits better? Why do cybersecurity professionals measure password strength in bits instead of giving it a simple rating like Strong or Weak?

The answer lies in a concept called password entropy.

Entropy is one of the most important measurements in cybersecurity because it quantifies how unpredictable a password is. Unlike visual complexity or password policies, entropy is based on mathematics. It tells us how difficult it would be for an attacker to correctly guess a password through brute force.

A password containing 120 bits of entropy isn't simply "twice as strong" as one with 60 bits. Because entropy grows exponentially, the difference is unimaginably larger. Every additional bit doubles the number of possible passwords an attacker must search.

If you're looking to create passwords with high entropy, our Cryptographically Secure Password Generator generates passwords locally in your browser using the Web Crypto API, ensuring every password is created with cryptographically secure randomness and never leaves your device.

Before we calculate entropy, let's first understand what it actually measures.

What Is Password Entropy?

Password entropy is a mathematical measurement of uncertainty or unpredictability.

The more unpredictable a password is, the more possible combinations an attacker must test before discovering the correct one.

Imagine asking someone to guess a number.

If the number is somewhere between 1 and 10, they only have ten possibilities.

If the number is between 1 and 1 trillion, guessing becomes dramatically more difficult because the search space has become much larger.

Passwords work exactly the same way.

The more possible combinations a password could be, the higher its entropy.

Importantly, entropy does not measure whether a password looks complicated. It measures how many equally likely possibilities existed when the password was generated.

For example, these passwords appear very different:

Predictable
Password123!
High-Entropy
X7#rL!9mQ@2v

The second password has significantly higher entropy because every character was chosen independently from a large pool of possibilities. The first password follows familiar words and predictable substitutions that attackers already expect.

Entropy measures how difficult a password is to guess, not how impressive it looks.

Why Is Password Entropy Measured in Bits?

In computing, almost everything is measured using binary digits, or bits.

A single bit can have only two possible values: 0 or 1.

You can think of one bit like flipping a perfectly fair coin—heads or tails. Only two outcomes exist.

Each additional bit doubles the number of possible outcomes.

Entropy Possible Values
1 bit2
2 bits4
4 bits16
8 bits256
16 bits65,536

Notice the pattern. The numbers don't increase by addition—they increase by multiplication.

This exponential growth is why entropy is such a powerful measurement. Even relatively small increases in entropy create dramatically larger search spaces.

When security professionals refer to a password containing 123 bits of entropy, they mean an attacker would theoretically need to search approximately 2¹²³ different possibilities in the worst case. That number is so large it exceeds anything modern computers could realistically brute-force.

How Password Entropy Is Calculated

Now that we understand what entropy measures, the next question is obvious: how do we actually calculate it?

Fortunately, the mathematics behind password entropy is much simpler than it first appears. Every entropy calculation is based on just two factors:

  • Password length — how many characters the password contains
  • Character pool size — how many different characters could have been chosen for each position

The standard formula is:

Entropy = Password Length × log₂(Character Pool Size)

Although the formula contains a logarithm, you don't need to calculate it manually every time. The important part is understanding what each value represents.

Password Length

Length is simply the number of characters in the password. Every additional random character increases the total entropy because it adds another independent choice.

Character Pool Size

The character pool is the total number of characters the generator is allowed to choose from.

Character Set Pool Size
Numbers (0–9)10
Lowercase letters26
Uppercase letters26
Letters + Numbers62
Letters + Numbers + Symbols~70–95 (depending on symbols used)

Our password generator uses a carefully selected pool of 71 printable characters, balancing compatibility with high entropy. The larger the pool, the more possible choices exist for every character.

Real Password Entropy Examples

Let's put the formula into practice.

Example 1: An 8-Digit PIN

A numeric PIN uses only the digits 0–9.

  • Length = 8
  • Pool Size = 10

Entropy: ≈ 26.6 bits

Although eight digits may seem reasonably long, there are only 100 million possible combinations. Modern hardware can search that space very quickly.

Example 2: A 12-Character Lowercase Password

Suppose every character is chosen randomly from the English alphabet.

  • Length = 12
  • Pool = 26

Entropy: ≈ 56.4 bits

This is significantly stronger than an eight-digit PIN because each character has many more possible choices.

Example 3: A Random 16-Character Password

Now consider a password generated from a 71-character pool.

  • Length = 16
  • Pool = 71

Entropy: ≈ 98.4 bits

That represents approximately 2⁹⁸ possible passwords. Even with modern GPU clusters, brute-forcing this search space is considered computationally impractical.

Example 4: A 20-Character Random Password

This is the default recommendation for users who want an extremely strong password.

  • Length = 20
  • Pool = 71

Entropy: ≈ 123 bits

This corresponds to roughly 2¹²³ possible passwords.

That is approximately:

10,600,000,000,000,000,000,000,000,000,000,000,000 possible combinations

That is approximately 10,600,000,000,000,000,000,000,000,000,000,000,000 possible combinations—far more possibilities than the estimated number of atoms in the observable universe (about 10⁸⁰). This comparison illustrates the immense size of a 123-bit search space and why brute-forcing it is considered computationally infeasible.

This is why our Cryptographically Secure Password Generator targets approximately 123 bits of entropy when generating a standard 20-character password.

What Is Considered Good Password Entropy?

Not every account requires military-grade security, but understanding entropy ranges makes it easier to judge password strength.

Entropy Security Level
Below 40 bitsWeak
40–60 bitsFair
60–80 bitsGood
80–100 bitsStrong
100–128 bitsExcellent
Above 128 bitsExceptional

These ranges aren't official standards, but they provide a practical way to compare passwords.

For most online accounts, a password above 80 bits already offers substantial protection when generated randomly. Passwords exceeding 100 bits provide an enormous safety margin against brute-force attacks. Around 123 bits, the search space becomes so vast that exhaustive guessing is considered computationally infeasible with current technology.

Common Misconceptions About Password Entropy

Myth 1: A Complicated-Looking Password Always Has High Entropy

Not necessarily. Entropy depends on how the password was generated, not how unusual it appears. A password created by following predictable human habits can look random while still containing relatively little uncertainty.

Myth 2: Entropy Is the Same as Password Strength

These terms are related but not identical. Password strength often considers factors such as password reuse, known dictionary words, or common patterns. Entropy measures only the mathematical unpredictability of the password itself.

Myth 3: Humans Can Estimate Entropy by Looking

People are surprisingly poor at recognizing randomness. Humans naturally create patterns without realizing it, even when trying to be completely random. This is one reason security professionals recommend using password generators instead of inventing passwords manually.

Myth 4: Entropy Is Just a Marketing Number

Entropy is not a score invented by password managers. It is a mathematical measurement used throughout cryptography to quantify uncertainty. The same principles are used when generating encryption keys, secure tokens, digital certificates, and authentication secrets.

Frequently Asked Questions

What is password entropy?

Password entropy is a mathematical estimate of how unpredictable a password is. Higher entropy means more possible combinations and greater resistance to brute-force attacks.

How many bits of entropy is considered secure?

Most randomly generated passwords above 80 bits are considered very strong. Passwords exceeding 100 bits provide an even larger security margin for long-term use.

Is 128 bits of entropy necessary?

For most personal accounts, no. However, passwords approaching 128 bits are effectively immune to brute-force attacks using current computing technology and provide an excellent future safety margin.

Can I calculate password entropy myself?

Yes. If you know the password length and the size of the character pool used to generate it, you can estimate its entropy using the formula: Entropy = Length × log₂(Pool Size). Many password generators and security tools also calculate entropy automatically.

Does a longer password always have more entropy?

Only if the additional characters are chosen randomly from the same character pool. Entropy measures unpredictability, so randomness remains an essential part of the calculation.

Conclusion

Password entropy provides a mathematical way to measure one of the most important properties of a secure password: unpredictability.

Instead of relying on appearances or arbitrary strength labels, entropy quantifies how many possible passwords an attacker must search before finding the correct one. Every additional random character increases that search space exponentially, making brute-force attacks dramatically more difficult.

A password containing approximately 123 bits of entropy—such as a randomly generated 20-character password from a 71-character pool—represents an astronomical number of possible combinations, far exceeding the number of atoms in the observable universe. Combined with cryptographically secure randomness, this level of entropy provides protection that is considered computationally infeasible to brute-force with today's technology.

Of course, entropy is only part of the story. The quality of the randomness used to generate a password is just as important as the mathematical search space itself. If you're interested in where that randomness comes from and why secure generators use CSPRNGs and rejection sampling instead of ordinary random functions, explore our related security guides.

Or, if you're ready to create a password instead of calculating one, try our Cryptographically Secure Password Generator, which runs entirely in your browser using the Web Crypto API and generates passwords with approximately 123 bits of entropy without sending any data to a server.

🔐

Generate a High-Entropy Password Instantly

Our Cryptographically Secure Password Generator creates passwords with approximately 123 bits of entropy entirely in your browser using the Web Crypto API. No data is ever sent to a server.

Open Password Generator

Related Articles

July 14, 2026

Password Length vs Complexity: The Biggest Password Security Myth

For years, internet users have been taught to add a symbol, include a number, and mix uppercase and lowercase letters. In reality, that advice has created one of the biggest misconceptions in password security. Password length often has a far greater impact on resisting brute-force attacks than adding a few extra symbols.

July 12, 2026

Cryptographically Secure Random Numbers Explained: Why Password Generators Don't Use Math.random()

A cryptographically secure random number generator (CSPRNG) produces unpredictable random values suitable for passwords, encryption keys, authentication tokens, and digital signatures. Unlike JavaScript's Math.random(), a CSPRNG uses high-quality entropy and cryptographic algorithms to resist prediction, making it the standard for modern security applications.

June 18, 2026

How to Remove ChatGPT Formatting Before Copying to Word .

Copying text from ChatGPT into Microsoft Word should be simple, but it often isn't. Instead of clean paragraphs, you may end up with Markdown formatting, bold text, numbered lists, unwanted hyperlinks, extra blank lines, unusual punctuation, or inconsistent spacing.