Password Security: Entropy Calculator

What constitutes a strong password?

By the simplest definition, the strength of a password is an indicator of the difficulty of randomly guessing the password. To this end, any service you use should have unique passwords that are long and contain a mix of alphanumeric (numerals and both, capital and lower case letters) as well as special characters. However, have you ever wondered why this is the case? Why do you need to have long passwords? Why should they contain letters, numbers and special characters?

   For starters, let’s consider a password that is limited to 4 numeric characters (0-9). This would be akin to the 4-digit pass-codes that are used to secure access to smartphones and tablets. In this case, someone trying to guess your password has 10,000 possible options (0000 to 9999). Therefore, with a reasonably fast system that can generate 2 billion guesses in a second, our 4-digit password can be compromised in 5 microseconds (5 millionth of a second)!

   So, how can we make our hypothetical password more secure? As an initial step, we can change it to include letters as well as numbers. If we make use of both capital and lowercase letters, then our 4-character password has a wider search space (0-9, A-Z and a-z). This means that to correctly guess our password, an attacker now has to negotiate a pool of 14,776,336 possibilities. Once again, a reasonably fast system that can generate 2 billion guesses a second will be able to guess this password in 7.4 milliseconds (1.4 thousandths of a second). While this is still a very short time, by simply increasing the search space an attacker has to traverse, we have improved our password’s strength by a factor of 1478.

   We could further improve our password by including symbols in addition to alphanumeric characters. If we include the 32 symbols on a standard keyboard, our 4-character password would have a search space of 78,074,896 possible combinations. In turn, this would correspond to our attacker being able to guess this password in 39 milliseconds, a 5.3-fold improvement of the scenario where only alphanumeric characters were allowed. Further improvements to our password would be to increase its length. In this case, a 5-character password consisting of alphanumeric characters and symbols would have a search space of 7,339,040,224 and could be guessed in 3.7 seconds. Therefore, by allowing 1 extra character, we have improved our password’s strength by a factor of 94!


See how long it takes to guess passwords of varying lengths and types

Password Length:   characters

Types of characters in the password:

Numbers (0-9):   

Uppercase Characters (A-Z):   

Lowercase Characters (a-z):   

Symbols & Special Characters (*, &, etc.):   

Space (‘ ‘):