The Entropy Formula
Password entropy is calculated as: bits = log2(C^L), where C is the character set size and L is password length. A 12-character password using 94 printable ASCII characters has roughly 79 bits of entropy. Each additional character from a 94-character set adds about 6.5 bits. More bits means exponentially more guessing work for an attacker.
How Many Bits Do You Actually Need?
As of 2025, 60 bits of entropy is the minimum considered secure for non-critical accounts, while 80+ bits is recommended for sensitive accounts like banking or email. A 12-character truly random alphanumeric password hits about 71 bits. A 16-character password with full ASCII reaches about 105 bits — sufficient for essentially any current threat.
The Problem with Entropy Meters
Many password strength meters are misleading. They check for length and character types but can't verify true randomness. 'P@ssword123!' scores well on most meters despite being extremely weak because the pattern is common and well-known to attackers. Entropy only truly measures security when the password is genuinely random.
Practical Entropy Targets
For general accounts, target 70+ bits of entropy using a random generator. For master passwords or encryption keys, target 100+ bits. These translate to roughly 12 and 17 characters respectively when using a full ASCII character set. A good password generator will display the entropy of each generated password.
Entropy is the most honest measure of password security. Use a random generator that reports entropy, and aim for at least 80 bits for any account that matters.