Understanding Password Entropy: The Math Behind Security
The Concept of Entropy
In information theory, Entropy (measured in bits) represents the total amount of randomness in a secret. It tells us how many guesses, on average, it would take to find the correct answer.
The Formula: E = log₂(R^L)
Don't panic. Here is what it means:
- R (Range): The number of possible characters (e.g., 26 for lowercase, 62 for alphanumeric).
- L (Length): How many characters are in the password.
Notice that Length (L) is an exponent. Increasing the length makes the number explosive.
Case Study: Complexity vs Length
J8#kL2! (7 characters, very complex)Entropy: ~40 bits.
Crack Time: Minutes.
correct-horse-battery-staple (25+ characters, simple words)Entropy: ~100+ bits.
Crack Time: Trillions of years.
Why "Tr0ub4dor&3" is Weak
This famous example (from XKCD) shows a password that looks hard. But it uses common "l33t speak" substitutions (0 for o, 4 for a). Hackers have "dictionaries" that include these. Mathematically, it has very low entropy because it's predictable.
The 12-Character Minimum
We recommend 12 characters as a hard minimum because below that, modern GPUs can brute force efficiently. At 12 characters, even with just lowercase letters, the numbers get big enough to be annoying for hackers. At 16, they become nearly impossible.