Password entropy is the measure of password strength — how effective the password is against
hackers. The more complex and unpredictable your password is, the more difficult it is for an
attacker to guess or crack it.

The best way to protect your account is to use a long and intricate password that takes ages to
crack. The number of attempts an attacker would need to guess your password is a good measure of
password strength, and this measure is known as password entropy.

Password entropy is important because it measures password randomness and unpredictability — the
greater the entropy, the more effective the password is against all types of cyberattacks.

One of the most common types of targeted cyberattack is a{‘ ‘} brute force attack in which
cybercriminals try all possible character combinations to discover your password. Sometimes they
use dictionaries of common passwords (like “qwerty” or “123456”) to break into
password-protected computers, accounts, and networks — this strategy is better known as a{‘ ‘} dictionary attack.

If you use short, low entropy passwords, hackers can use them in credential stuffing attacks,
especially if you reuse them for multiple accounts. In these attacks, criminals use previously
stolen password-username pairs to gain unauthorized access to accounts and digital systems.
Sometimes hackers leak these lists of compromised passwords on the Dark Web. You can use
specialized tools like NordVPN’s{‘ ‘} Dark Web Monitor to make sure
your credentials have not been exposed online and to get informed if they are in danger.

High entropy passwords are much less susceptible to hacking attempts involving other
password-cracking techniques, such as a rainbow table. In{‘ ‘} rainbow table attacks
, criminals use precomputed tables to crack password hashes. High entropy passwords are less
likely to appear in these tables, making it more difficult for hackers to determine the original
password from its hash. But how do you know if your password’s entropy is high?

You can calculate password entropy using the E = log2 (RL) formula. This
formula tells you how many guesses a hacker would have to make to crack your password by trying
all possible combinations of symbols. The meaning of the elements in the formula is as follows:

Passwords that contain only eight or less letters of the same case are too weak to protect your
accounts because there are only thousands of character combinations that hackers can check
relatively quickly to break into your account. Typically, weak passwords have only up to 60 bits
of entropy. Incorporating numbers and special symbols increases the number of possible password
combinations and, subsequently, the password’s entropy.

If a password’s entropy is at least 64 bits high, there are approximately 2^64 (18 quintillion)
possible password combinations that a hacker would have to go through in order to enter your
password-protected account. For example, a 64-bit password would be at least six characters
long, would include upper- and lower-case letters, numbers, and special symbols. Checking all
possible combinations would take up enormous amounts of time, which makes the password strong
enough to withstand cyber attacks.

To create a high-entropy password, use at least six characters, including lower-case and
higher-case letters, numbers, and special symbols. Don’t use dictionary words like “password” or
popular phrases like “admin_password,” not even variations such as “passw0rd” or “p@ssword.”
Avoid using sequential letters and numbers like “123456” and “asdfgh.” And never incorporate
personal details into a password because attackers can gather that information from your social
media or public records.

Of course, coming up with long and complex passwords — let alone remembering and renewing them
regularly — might prove difficult, but that’s where a{‘ ‘} secure password manager comes in
handy. It stores all your digital credentials and fills them out automatically when logging in
to your accounts.

{SHORTCODES.blogRelatedArticles}

Passwords should have at least 60 bits of entropy to be strong enough to protect your accounts.
Depending on the bits of entropy, passwords are classified into four categories ranging from
very weak to very strong:

The more bits of entropy a password has, the less crackable it is. Passwords of less than 35
bits are weak and would be powerless against sophisticated attacks, while passwords of 36 to 59
bits are moderately strong at best. It’s helpful to aim for at least 60 bits and over to achieve
a reasonable level of security.

Typically, 64-bit passwords are strong enough to protect sensitive accounts and will not succumb
to a brute force attack. However, if you want to take your account security to the next level,
go for an uncrackable 128+ bit password, which requires an enormously large number of guesses to
crack and astronomical amounts of computing power and cracking time.

A longer password — of at least eight characters — that contains uppercase letters, lowercase
letters, numbers, and special characters is a high-entropy password and is practically
impossible to guess or crack. If your password entropy is at the lower end of the spectrum (less
than 64 bits), you should develop a more complex password by following our{‘ ‘} tips on strong passwords

.

However, never rely solely on password entropy. Several passwords can be of the same length and
complexity, with one much stronger than the rest. This discrepancy occurs when cybercriminals
leak lists of cracked passwords online to be used in targeted cyberattacks. These leaked
passwords, even if complex, are already compromised and weak, so you should never use them. You
can use an online{‘ ‘} password leak checking tool
{‘ ‘}
to see if your credentials have not been compromised and take action if they have — create new,
stronger passwords.