How Strong is Your Password? Understanding Password Entropy

· 4 min read

We have all seen password strength meters — a bar that goes from red to green as you type. But what actually makes a password strong? The answer lies in a concept called entropy, and understanding it will change how you think about passwords forever.

What is password entropy?

Entropy measures randomness — how unpredictable a password is to an attacker. It is measured in bits. Each additional bit of entropy doubles the number of guesses needed to crack the password. A password with 40 bits of entropy requires up to 240 (about 1 trillion) guesses. One with 80 bits requires 280 guesses — a number so large it is practically impossible to brute-force with current technology.

The formula for entropy is:

Entropy = log2(N^L)

            Where:
              N = size of the character set (e.g., 26 for lowercase only)
              L = password length

For example, an 8-character password using only lowercase letters has 268 possible combinations, giving about 38 bits of entropy. An 8-character password using uppercase, lowercase, digits, and symbols (a character set of ~95) has 958 combinations — about 53 bits of entropy.

Length beats complexity — here is the math

People often believe that adding a few symbols makes a password strong. It helps, but not as much as making it longer. Compare:

  • 8 characters, mixed case + digits + symbols (95 chars): 958 = ~6.6 quadrillion combinations = ~53 bits of entropy
  • 16 characters, lowercase only (26 chars): 2616 = ~4.4 × 1022 combinations = ~75 bits of entropy

A 16-character all-lowercase password is billions of times stronger than a short, complex one. This is why modern guidelines from NIST and organizations like the EFF recommend long passphrases — a string of random words like correct-horse-battery-staple is both easier to remember and harder to crack than P@ssw0rd!.

A good rule of thumb: for online accounts, aim for at least 60 bits of entropy. For password managers and encryption keys, target 80+ bits.

Why a random generator matters

Humans are terrible at generating randomness. We gravitate toward patterns, keyboard walks (like qwerty), dictionary words, and personal references (birthdays, pet names). Attackers know this and optimize their cracking tools accordingly. A password that feels random to you may be predictable to a computer.

The ToolBox Password Generator solves this by using crypto.getRandomValues() — the browser's built-in cryptographic random number generator. This is the same RNG used by TLS/SSL for secure connections. Every character is selected using true hardware-level entropy, not a predictable pseudo-random algorithm.

How to use the password generator

  1. Set the length. Open the Password Generator and choose a length. For most accounts, 16-20 characters is a good balance of security and usability. For critical accounts (email, banking, password manager master password), go with 24+ characters.
  2. Choose character sets. Select which types of characters to include: uppercase (A-Z), lowercase (a-z), digits (0-9), and symbols (!@#$...). Including all four sets maximizes your entropy per character.
  3. Generate and copy. Click Generate to produce a password. The strength indicator shows how many bits of entropy it has. Click Copy to copy it to your clipboard.

Practical password tips

  • Use a password manager. It is humanly impossible to remember unique, strong passwords for every account. Let a password manager do it. You only need to remember one strong master password.
  • Never reuse passwords. A breach at one service should not compromise all your other accounts.
  • Enable two-factor authentication (2FA). A strong password plus a second factor (authenticator app, hardware key) is vastly more secure than either alone.
  • Do not share passwords via email or messaging apps. Use a password manager's sharing feature or a one-time secret tool instead.

Generate your first truly random password with the Password Generator — no server, no logs, 100% client-side.

← Back to all posts