Security guide
Password Entropy Explained
Understand password entropy, search space, alphabet size, length, and why theoretical bits are only an upper-bound estimate.
Summary
Password entropy is a way to describe the size of the search space an attacker would need to explore. For a uniformly random password, a useful upper-bound formula is:
bits = length × log2(alphabet size)Use the password crack time calculator to compare assumptions.
Alphabet size
Alphabet size is the number of possible characters. Lowercase letters give 26 options. Uppercase plus lowercase gives 52. Adding digits gives 62. Symbols can increase the pool further, but only if the service accepts them and the generator selects them randomly.
Length
Length multiplies the search space. A longer random password usually provides a larger practical improvement than a short password decorated with predictable symbols.
Upper-bound warning
The formula assumes every position is selected uniformly from the alphabet. It does not apply to human phrases, reused passwords, dictionary words, dates, keyboard paths, leaked credentials, or edited output. It also does not model service-side hashing or online rate limits.
Practical recommendations
- Treat entropy as a comparison tool, not a guarantee.
- Prefer randomly generated values.
- Use more length for restricted alphabets.
- Keep every password unique.
- Store results safely.
Detailed guidance
This guide focuses on interpreting password entropy without exaggeration. It is written for readers comparing length, alphabet size, and passphrase word lists, so the practical goal is not to create a dramatic security claim. The goal is to choose a password habit that can survive everyday use: sign-in forms, password managers, mobile keyboards, account recovery, shared devices, and the occasional service with strange validation rules. A secure recommendation is only useful if a real person can follow it consistently.
The safest starting point is randomness plus uniqueness. Randomness means the value is selected from a large space by a cryptographically suitable random source, not invented from a birthday, a pet name, a keyboard pattern, or a favorite quote. Uniqueness means the same password is not used anywhere else. A password that is long but reused can fail quickly after one unrelated breach, while a unique random password limits the damage to the single account where it was used.
For this topic, a practical preset is length multiplied by log2 of the random alphabet size for uniformly random passwords. You can apply that preset with the password strength checker and then store the final value in a trusted password manager. PwdGen generates values locally in the browser with Web Crypto; the generated password is not sent to a PwdGen server. That local design reduces server-side exposure, but it does not protect against every threat. A malicious browser extension, a compromised device, a phishing page, or unsafe clipboard handling can still expose a secret after it is generated.
The most common problems to avoid are applying the simple formula to human-chosen passwords, ignoring reuse, and treating estimates as guarantees. These problems matter because attackers rarely need to brute-force every possible password when human habits give them a shortcut. Credential stuffing, phishing, leaked password lists, and account-recovery abuse are often more realistic than a pure mathematical search. That is why the best advice combines password quality with account-level controls such as MFA, passkeys, recovery-code storage, and regular review of recovery email or phone settings.
Use this checklist when applying the recommendation:
- Use entropy only for random generation.
- Use zxcvbn-style checks for human input.
- Increase length when alphabet restrictions apply.
- Remember that storage hashes affect attack speed.
If a website rejects the ideal setting, do not force the password into a weaker pattern by hand. Adjust one variable at a time. If symbols are rejected, keep uppercase, lowercase, and numbers enabled and increase length. If a maximum length is low, use the largest accepted length and make sure the value is unique. If a password must be read aloud, printed, or typed on a television or router screen, consider excluding confusing characters and increasing the length to compensate for the smaller alphabet.
Finally, remember the boundary of password advice. A strong password is one layer of defense, not a guarantee. It cannot make a phishing page safe, fix malware, or compensate for a service that stores credentials poorly. The useful habit is boring but durable: generate a unique value, store it safely, protect the recovery path, and replace it quickly if you suspect exposure.
A safe next step
After reading this guide, do one small account audit instead of trying to fix everything at once. Pick the account that would cause the most trouble if it were taken over, confirm that its password is unique, and check the recovery email, recovery phone, MFA method, and backup-code storage. If any part of that chain is weak, improve that part before moving to lower-risk accounts. This order keeps the work manageable and protects the accounts that attackers are most likely to use as a stepping stone. For password entropy explained, the best outcome is a repeatable habit: generate locally, store carefully, and avoid reuse.
Frequently asked questions
What is the simple entropy formula?
For uniformly random characters, a common upper-bound formula is length multiplied by log2 of the alphabet size.
Why is entropy only an estimate?
It assumes uniform random selection and does not account for reuse, leaks, human edits, compromised devices, or destination storage.
Do symbols always add more entropy?
Symbols increase alphabet size when selected randomly, but adding length often gives a larger and easier-to-use benefit.