# Password Entropy

*By Shay Ben Moshe On September 17, 2011 · 22 Comments · In General*

A common and easy way to estimate the strength of a password is its entropy.

The entropy is given by \(H = L \log_2{N}\) where \(L\) is the length of the password and \(N\) is the size of the alphabet, and it is usually measured in bits.

The entropy measures the number of bits it would take to represent every password of length \(L\) under an alphabet with \(N\) different symbols.

For example, a password of 7 lower-case characters (such as: *example*, *polmnni*, etc.) has an entropy of \(H = 7 \log_2{26} \approx 32.9 \text{bits}\).

A password of 10 alpha-numeric characters (such as: *P4ssw0Rd97*, *K5lb42eQa2*) has an entropy of \(H = 10 \log_2{62} \approx 59.54 \text{bits}\).

Entropy makes it easy to compare password strengths, higher entropy means stronger password (in terms of resistance to brute force attacks).

## Phrase based password

An interesting fact is that a password that is usually considered strong, such as *f#Mo1e)*TjC8* (entropy \(H = 12 \log_2{72} \approx 74.04 \text{bits}\)), usually has lower entropy than a password assembled form several words delimited by spaces, such as *carrot ways base split* (entropy \(H = 22 \log_2{27} \approx 104.61 \text{bits}\)).

This fact was demonstrated wonderfully by Randall Munroe in the following picture (although I believe his entropy calculation was different than mine):

## Entropy calculator

I wrote a simple entropy calculator in javascript, you can use it online here:

Password:

Entropy: 0

Calculator source: http://blog.shay.co/files/entropy.js.

### 22 Responses to *Password Entropy*

### Leave a Reply Cancel reply

### Recent Comments

- liggywoth on Password Entropy
- liggywoth on Password Entropy
- Stephen Long on Password Entropy
- PHP Native Array vs. SPL SplFixedArray vs. ‘SPL Arraylist’ | Anthony's Blog on PHP’s native array vs SplFixedArray performance
- Shay Ben Moshe on Password Entropy

### Categories

Interesting to see the actual math behind it. No discussion about passwords would be complete though without a comment that people should NEVER keep their passwords in their computer. That is the worst place to keep them.

People should always use a Password Book. I like, “The 5th Dimension Password Keeper” that I found on Amazon. But whatever book you use, Never, Never, Never use the same password for more than one account.

The picture is using the NIST guidelines for human generated passwords, as they tend to be considerably less random than computer generated ones.

Very interesting article, I changed my passphrases from about 70 bits of entropy to 200

Spicy, are you serious?? 200 bits of entropy?? You use ~25 char pass?? For what reason? A 12-random-char pass is more than enough even if you never change it.

The whole point is that a passphrase like “This is 1 hard-to-guess password.” (207 bits of entropy) is much harder to guess or bruteforce than a 12-random-char password, while being much easier to remember.

“Only hobos take the bus.”, for example. It’s 146 bits of entropy, but I already know I’ll remember it tomorrow, even though I just made it up on the spot.

Compare that to an equally strong random password: “6&@wPLZz((!tUuInWiu*TTa”.

I’ve already forgotten everything past the 3rd character.

The link to your source code is bad

Calculator source: http://shay.co/files/entropy.js.

What the link actually points to:

http://b\log.shay.co/files/entropy.js

(I should mention both are incorrect…

http://shay.co/files/entropy.js doesn’t exist

and

http://b\log.shay.co/files/entropy.js

exists and works if you remove the random \)

Thank you.

I wonder how it happened…

did you try to put passwords from the comics strip to the calculator? first one gives 69 bits (not 28 as indicated in comics) and second 150 (and not 44). what is the reason? are there many different methods to calculate the password entropy? or did i miss something?

Yes, you are correct. I don’t really know which definition was really used in comics, but you can see his calculation.

However, the definition I gave here works, and shows the properties you would want it to have.

The calculator here deals with the entropy of random characters, while Randall’s comic calculates entropy in a different, more real-worldey way.

“password” isn’t all that secure because it’s a well known word. If you had to pick an 8 letter password and got 20 chances at it, you’d probably pick a list of 20 common 8 letter words. This is where the figures used come from – that the 4 random common words each come from a list of 2048 of the most common words (which is probably an underestimation), and that Troubadour probably appears in a list of the 65536 most common words.

Usually for entropy it makes things simpler to underestimate how secure things are, and to assume that the attacker knows the structure of your password.

There’s a good discussion of this at http://tech.dropbox.com/?p=165 with an example that gets similar results to XKCD at http://dl.dropbox.com/u/209/zxcvbn/test/index.html

E=M*c^2 has more entropy than horsebatteyclip or whatever and I memorized that in fifth grade.

Hi, there. While your password does have more entropy on face value, in practice it doesn’t because it’s a human, thought-of password. Human thought-of passwords mean that if you can think of it, so can a cyber-criminal. At worst everyone should use PRNG passwords (pseudo random number generators) and then look up the diceware words; or even better use TRNG (Total Random…) from sources such as Ramdomise.org to ultimately do the same thing. Remember, if you can create it, so can someone else. Randomising effectively eliminates bias (RRNG being superior).

My 1Password master password has over 130 bits of entropy. It was TRNG-generated creating 6 Diceware words that are very easy to remember and is, to intents and purposes, uncrackable.

While there is some truth to that, saying that “if you can think of it someone else can think of it” is a silly thing to say, at least if it’s longer than the password dtanders stated.

If I wrote an entire paragraph as I password that was from my mind originally, I doubt someone could figure that out.

You also seem to be forgetting that computers do not ‘think’. What we are protecting against is not the cyber criminals themselves; a human cyber criminal can be defeated just by choosing something other than “password”. What we are protecting against is the programs that cyber criminals are able to create.

Computers require processing power to break passwords. The longer the password, and the less you’ve based it on paragraphs from popular culture, books you’ve personally read, or explicit examples of passwords, the more secure it is.

The problem is not that it’s a “human thought of password”. The problem is that it was something everybody has memorized in fifth grade.

Also, for both of you.. Did you even read the article you’re responding to? The author states that Munroe is using a different form of entropy calculation.

What you guys did was look at the XKCD comic, type in E=M*c^2 into the calculator and compare those two very, very different results.

In this case, you inaccurately (read: falsely) find that E=M*c^2 has 2 more bits of entropy than the XKCD password because you forget that there though they are both called “bits of entropy”, they’re NOT the same calculation. Its like taking a person who is 6 feet tall and a person who is 122 cm tall and saying the 122 cm guy is 116 “points more tall” when in reality, he’s only 4 feet tall.

What you should’ve done, if you paid attention to the article, was type BOTH passwords into the entropy calculator on this page.

The result:

correcthorsebatterystaple – 131 bits of entropy

E=M*c^2 – 46 bits of entropy

correct horse battery staple (the proper way to spell the password is with spaces) – 148 bits of entropy

correct horse battery staple is over 3x more secure than E=M*c^2

Sorry if that came off a little too strong. I actually made the same mistake the first time I read this article.

Thank you very much for this post. It is the clearest explanation I have found on this subject.

I have one suggestion on how it could be improved, though. Log2 isn’t something I was aware of and I can imagine most of your readers aren’t either. You should mention that it is the binary logarithm and maybe link to the wikipedia page about it:

http://en.wikipedia.org/wiki/Binary_logarithm

Hi there! I just want to give an enormous thumbs up for the good

info you’ve right here on this post. I shall be coming

again to your weblog for more soon.

According to this tool, “qwertyuiop” (51.29 bits) is a better password than “Mkzq!#d@” (48.53 bits).

Indeed, but you should remember that this tool doesn’t take into account popularity of phrases.

Some attacks might apply methods of words popularity and similar methods, and some attacks might use simple brute force, in which case the first password you wrote is in fact better.

If I enter all the same character, for my password, the entropy keeps going up and up. How would you adjust the algorithm to make sure the characters are actually sufficiently random?

Well, I guess you couldn’t have a mathematical algorithm for that. I suppose one could require that there are enough different characters, based on the size.

Your entropy calculation for a passphrase is wrong. It’s

reasonableif you’re using a passphrase but your attacker isn’t aware of (or assuming) this.Your error is the assumption that the passphrase is a collection of letters and whitespace—which would in fact make its length 22 and it’s possible-chars 27—instead of a collection of

words. If I suspect you’re using passphrases based on English words, however, your length is shorter but your possible-entities is larger.For example, if you choose four words at random from the Unix dictionary, your possible-entities is around 236000 while your length is 4. This gives

H = 4 log2 23600 = 71.394, a little over 71 bits of entropy. So if I’m attacking for passphrases, you have to be careful to choose enough words (say around 7, which nets almost 125 bits of entropy) to defeat me.Especiallyif I know your words corpus.Hi Darren M, you are correct. I would like to refer you to the next article: Phrase Based Password Entropy.