Photo by Old Money on Unsplash

Password Entropy

--

Password entropy measures the strength of a password and is measured as the number of bits that could represent all of the possibilities. An entropy score of less than 25 identifies a poor password, and between 25 and 50 is a weak password. For 50 to 75 we have a reasonable password, and between 75 and 100 is a very good password. Over 100 is an excellent password.

The strength of the password relates to the number of characters used, and also the number of characters in the password. Character sets include:

'abcdefghijklmnopqrstuvwxyz' (lower case)
'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (upper case)
'0123456789' (numeric)
'!@#$%^&*() (top level characters)
'~`-_=+[]{}\\|;:\'",.<>?/' (additional characters)

If there are N different characters in our character set, and have L characters in the password, the entropy (measured in bits) is:

For “123456”, we have a six-character numeric password and have 10 different characters ( L=10 ) in six positions (N=6). For this we get [here]:

For “qwerty” we have six characters, and 26 possible characters in our character set, so we get an improvement [here]:

For “Qwerty” we have six characters, and 52 possible characters for each one [here]:

--

--

Prof Bill Buchanan OBE FRSE
ASecuritySite: When Bob Met Alice

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. Based in Edinburgh. Old World Breaker. New World Creator. Building trust.