Shannon entropy and password strength
Most password advice focuses on mixing uppercase, lowercase, numbers, and symbols, but this misses the real measure of password strength: entropy, the amount of randomness measured in bits. Understanding Shannon entropy helps you create passwords that genuinely resist attacks, often by doing the opposite of conventional wisdom.
What is Shannon entropy?
Shannon entropy, named after mathematician Claude Shannon, quantifies the unpredictability in a message. For passwords, it measures how many bits of information are packed into your password. The more bits, the more possible combinations an attacker must try to guess it. A password with 64 bits of entropy is astronomically harder to crack than one with 32 bits, even if the latter looks more complex.
How entropy is calculated
Entropy is calculated as log2(possible_outcomes), where possible_outcomes is the total number of unique passwords someone could generate using your method. A password drawn from an alphabet of 94 characters (lowercase, uppercase, digits, and symbols) and 8 characters long has entropy of roughly 52 bits. Each additional character adds roughly 6.5 bits when drawing from that 94-character set.
Entropy grows logarithmically with alphabet size but linearly with length. This matters: expanding your alphabet from 26 to 52 characters doubles entropy, but adding one character to length adds entropy proportionally every time. This is why length is the most powerful lever for password strength.
Why length beats symbols
A twelve-character password using only lowercase letters has more entropy than an eight-character password using lowercase, uppercase, digits, and symbols. The math is simple: each extra character at length 12 multiplies your possibilities by 26. At length 8, adding symbol support only multiplies by roughly 2. Longer is stronger.
A memorable passphrase like "moonlit jungle elephants swimming" (lowercase only, 30 characters, drawn from roughly 170,000 common English words) contains around 68 bits of entropy. A random-looking password like "Kx7@mQ2p" (8 characters, 94-character alphabet) has only 52 bits, yet the passphrase is easier to type and remember.
Reaching 80 bits of entropy
Security specialists recommend 80 bits of entropy for passwords protecting sensitive accounts. Here are concrete paths to 80 bits:
- Using lowercase and digits (36-character alphabet): 13 characters. Example: moonlitjungle42elephant9swim
- Using lowercase, uppercase, digits, and symbols (94-character alphabet): 12 characters.
- Using a word list of 10,000 words: 4 words. Example: jungle-elephant-moonlit-swim
- Using a word list of 7,776 words (diceware standard): 5 words.
The word-based approaches win on memorability and are no less secure mathematically.
Diceware: the proven method
The diceware method creates high-entropy passphrases using physical dice and a word list. Roll five dice, look up the resulting five-digit number in the diceware dictionary, write down the word. Repeat 5 times for a 65-bit passphrase; repeat 6 times for 78 bits; 7 times for 91 bits. The passphrases are memorable, easy to type, and genuinely random in a way humans cannot achieve by trying to be creative.
Test your password's entropy
Use a password strength checker to measure the entropy of any password in bits. Create a test password with a random password generator and see how many bits it contains. Try different lengths and alphabets to build intuition. A Shannon entropy calculator shows you the math: input any text and it displays the bits of entropy contained within.
Privacy: tools run locally, not on a server
Every tool on TextArray runs entirely inside your browser. Your password is never sent to a server, never logged, never stored anywhere except your own device. The entropy calculation happens locally. You can disconnect from the internet and still generate passwords and measure their strength. This local-only approach means your passwords are yours alone, and no trace of them reaches a third-party server.