How Strong Is My Password? Password Entropy Explained
Password strength is not just a number of characters. Entropy depends on how the password was chosen and what an attacker already knows.
What entropy tries to measure
In password discussions, entropy is an estimate of uncertainty. If a password is selected uniformly from a known set of equally likely possibilities, entropy can be expressed in bits. Each bit roughly doubles the number of possibilities an attacker must consider.
For a truly random password of length L selected from an alphabet of size N, the idealized entropy is log₂(NL). But this formula assumes every character was chosen independently and randomly. Human-created passwords rarely satisfy that assumption.
Why human patterns reduce strength
A 12-character password such as Summer2026! looks complex, but it follows common patterns: a season, a year, capitalization at the beginning, and a symbol at the end. Attackers test these structures early.
By contrast, a randomly generated 12-character string from a broad alphabet is much less predictable. A multiword passphrase can also be strong when the words are independently selected from a sufficiently large list rather than chosen as a quotation or familiar sentence.
Password and passphrase comparison
| Method | Example type | Main strength | Main risk |
|---|---|---|---|
| Human password | Pattern with substitutions | Easy to remember | Highly predictable |
| Random password | Generated characters | Large search space | Difficult to type and remember |
| Random-word passphrase | Several independent words | Memorable length | Weak if words form a known phrase |
Online and offline guessing are different
Online login attempts are usually rate-limited and may trigger account lockouts or additional verification. Offline guessing is more dangerous because attackers can test guesses against stolen password hashes without contacting the service.
The hashing algorithm and its cost settings matter greatly. A slow password-hashing function increases the cost of each guess. It does not make a predictable password unpredictable, but it can buy valuable resistance.
Why password meters disagree
Some meters count character categories and length. Better tools model common words, keyboard patterns, dates, repetitions, and leaked-password structures. No meter knows exactly how you created the password or what personal information an attacker has.
Treat a strength estimate as guidance, not proof. Never paste a real master password into an unknown online checker.
Practical strength rules
- Use a generator for ordinary website passwords.
- Use a long, privately chosen master passphrase for the one secret you must remember.
- Avoid public quotations and personal facts.
- Do not reuse passwords.
- Enable multi-factor authentication.
- Use a modern password-hashing design when building software.
Summary
Entropy is useful when the selection process is known. Character count alone cannot measure human predictability. Random generation, uniqueness, sufficient length, and slow password hashing provide a more reliable security story than decorative complexity rules.
Try Kardix locally
Generate account-specific login details from your private phrase, optional PIN, and a consistent label. Nothing is saved to a Kardix account.
Open the Kardix generator →