How Password Strength Is Measured — Entropy and Crack Time Explained

What Is Password Entropy?

Entropy, in the context of passwords, is a measure of unpredictability expressed in bits. The higher the entropy, the more guesses an attacker needs to crack the password. Each additional bit of entropy doubles the difficulty: 40 bits requires roughly twice as many guesses as 39 bits, and 128 bits requires 2⁸⁸ times more guesses than 40 bits.

The basic entropy formula — borrowed from Claude Shannon's 1948 information theory paper — is:

H = L × log₂(N)

Where H is entropy in bits, L is the length of the password, and N is the size of the character set used. This formula assumes every character is chosen independently and uniformly at random — an assumption that breaks down badly for human-chosen passwords.

Character Set Sizes

The size of the character set directly affects entropy per character:

• Lowercase letters only (a–z): 26 characters, ~4.7 bits per character
• Upper + lowercase (a–z, A–Z): 52 characters, ~5.7 bits per character
• Upper + lower + digits: 62 characters, ~5.95 bits per character
• All printable ASCII: 94 characters, ~6.55 bits per character

The difference between using 62 and 94 characters is less than one bit per character. Doubling the length of a password adds far more security than switching from alphanumeric to symbols. A 12-character alphanumeric password (~71 bits) is stronger than an 8-character full-ASCII password (~52 bits), despite the latter having more "complex" characters.

Crack Time: Turning Entropy Into Seconds

Entropy in bits becomes meaningful when you know how fast an attacker can guess. Cracking speed depends on the hashing algorithm used to store the password:

• MD5 / NTLM (fast hashes): A modern GPU cluster can test over 100 billion guesses per second. At this speed, a 40-bit password falls in under a minute.
• bcrypt (cost factor 10): Around 10,000–30,000 guesses per second per GPU. A 40-bit password takes weeks. An 80-bit password is effectively uncrackable by brute force.
• Argon2id: Even slower than bcrypt when properly configured, making offline cracking more expensive by orders of magnitude.

This is why the hashing algorithm matters as much as password complexity. MD5-hashed passwords from a 2015 data breach can be cracked in bulk today. bcrypt-hashed passwords from the same breach would still resist brute-force attack even with modern hardware.

Why Simple Rule-Based Meters Fail

Traditional password meters check for the presence of uppercase letters, numbers, and symbols, then display a "weak/medium/strong" bar. This approach has a fundamental flaw: it measures character set diversity, not actual unpredictability.

P@ssword1 passes most rule-based meters with a "strong" rating. But it consists of the word "password" with trivial substitutions and an appended number — patterns that every serious cracking tool tests in its first pass. The effective entropy of this password against a dictionary-aware attacker is far lower than the Shannon formula suggests.

Meanwhile, correcthorsebatterystaple might score "medium" on a rule-based meter (no symbols, no uppercase, no numbers) while having genuinely high entropy because it is a long, random-word combination.

The zxcvbn Approach: Pattern-Aware Estimation

In 2012, Dropbox engineer Dan Wheeler published zxcvbn — an open-source password strength estimator that takes a fundamentally different approach. Instead of checking character diversity, zxcvbn models how an attacker would actually attack a password:

• Dictionary matching: is this password or a variant of it in a known wordlist?
• Pattern detection: keyboard walks (qwerty, 12345), date patterns (1990, 0101), repeated characters
• L33t speak substitutions: testing @→a, 3→e, 0→o variants of dictionary words
• Sequence analysis: consecutive characters, repeated substrings

zxcvbn estimates the number of guesses an attacker would need using these strategies, then converts that to crack time estimates at different attacker speeds. This produces far more realistic strength assessments than rule-based meters.

What "Good Enough" Means

Security guidance varies by threat model:

• Online attacks (logging into a website): Modern sites rate-limit login attempts, so even 40–50 bits of entropy makes brute force impractical. The real threat is credential stuffing from breached databases.
• Offline attacks against fast hashes (stolen MD5 database): You need at least 80 bits of entropy to resist modern GPU clusters for a reasonable amount of time. 100+ bits is safer.
• Offline attacks against slow hashes (bcrypt, Argon2id): 60–80 bits is sufficient for most purposes, since each guess is computationally expensive.

As a practical target: a randomly generated 16-character password from a full ASCII set gives roughly 105 bits of entropy — sufficient against any realistic attack scenario today. For long-term secrets like master passwords, 128 bits (about 20 random ASCII characters or a 6-word random passphrase) provides a substantial safety margin against hardware advances.