Entropy (Password)
Password entropy is a mathematical measure of unpredictability, expressed in bits. Higher entropy means a credential is harder to guess or crack by brute force.
Password entropy is a measure of unpredictability or randomness, expressed in bits. A credential with N bits of entropy requires, on average, 2^(N-1) guesses for a brute-force attacker to find it. Entropy depends on the size of the character set used and the length of the credential.
How entropy is calculated
Entropy is calculated using the formula H = L × log₂(N), where L is the password length and N is the character set size. A 12-character password using only lowercase letters (N=26) has 12 × log₂(26) ≈ 56.5 bits of entropy. The same length password using all ASCII printable characters (N=95) has 12 × log₂(95) ≈ 78.7 bits — a significant improvement. PassGeni's Strength Checker calculates entropy in real time and flags credentials that fall below compliance thresholds.
Entropy thresholds by compliance standard
Different compliance frameworks set different minimum entropy requirements. NIST SP 800-63B requires at least 112 bits for federal cryptographic modules. PCI-DSS v4.0 implicitly requires ~78 bits via its 12-character + character diversity mandate. HIPAA guidance implies ~60–80 bits. SOC 2 auditors typically expect 80+ bits for admin accounts. PassGeni's compliance presets enforce these thresholds automatically.
Why character diversity matters more than length alone
Increasing character set size has a compounding effect on entropy. Moving from lowercase only (N=26) to all printable ASCII (N=95) adds log₂(95/26) ≈ 1.87 bits per character. For a 12-character password, that is 22.4 additional bits — equivalent to adding 4–5 characters of length. This is why compliance standards require character diversity alongside minimum length.
Shannon entropy vs. practical entropy
Theoretical entropy assumes uniform random generation. Practical entropy — what actually matters for security — accounts for patterns, dictionary words, keyboard walks, and repeated characters. A 12-character password that contains 'password123!' has high theoretical entropy but near-zero practical entropy due to predictability. PassGeni's DNA Score measures practical entropy by detecting patterns that reduce real-world resistance to attacks.
Frequently asked questions
What is a good entropy score for a password?
For most compliance frameworks, 60–80 bits is the minimum acceptable range. NIST recommends 112+ bits for high-security systems. PassGeni flags anything under 60 bits as non-compliant.
Does length or character set matter more for entropy?
Both contribute multiplicatively. Doubling the character set adds log₂(2)=1 bit per character. Adding one character to a 12-char ASCII password adds ~6.6 bits. In practice, length has a larger absolute impact, but character diversity ensures each additional character contributes maximally.
How does PassGeni calculate entropy?
PassGeni uses Shannon entropy as the base measure: H = L × log₂(N) where N is the effective character set detected in the credential. The DNA Score then applies pattern penalties for repeated characters, dictionary words, keyboard walks, and date patterns.
Is there a difference between entropy and password strength?
Yes. Entropy is a mathematical measure of unpredictability. Strength is a holistic assessment that includes entropy, resistance to dictionary attacks, resistance to pattern attacks, and whether the credential has appeared in breach databases.
Generate a compliant credential.
Free. Client-side. Zero storage.