How strong is your password? NIST has some formulas

Entropy is a measure of disorder within a system. It’s what happens when you drop a glass of water on the floor, and a coherent system for containing liquid becomes a random assortment of shards in a puddle.

Physicists say the universe is moving inexorably toward entropy. Scientists at the National Institute of Standards and Technology’s Computer Security Division can help you speed the process a little by adding entropy to your computer passwords.

In IT security, entropy refers to the degree of randomness of characters making up a password or personal identification number. It is used to determine the amount of effort needed to guess them.

The E-Authentication Initiative requires that there be no more than one chance in 1,024 that a password or PIN used for accessing a system at assurance Level 1 will be guessed over its lifetime. For assurance Level 2, the requirement is one chance in 16,384. These probabilities are figured using the entropy of a password, usually expressed in bits, and the policies governing password use on the system.

NIST Special Publication 800-63, Electronic Authentication Guideline, includes guides for estimating password strength (, Quickfind 472).

Entropy varies greatly depending on whether a password is selected by a user or is generated randomly. Statistically, guessing the first character of a password selected by a user is tough, but guessing the second is easier and the third is easier yet. The NIST guidelines give the first character 4 bits of entropy when using the 94 characters available on standard keyboards, but only 2 bits for each of the next seven characters, and so on.

Randomly selected passwords do not display patterns, so each character carries the same level of entropy, about 6.6 bits.

This means an eight-character password selected by a user has 18 bits of entropy, while a random password the same length has about 52.7 bits.

More entropy required

Additional bits of entropy can be added to user-selected passwords by adding rules to prohibit the use of easily identified passwords. NIST suggests giving people dictionaries of common words they shouldn’t use. So-called composition rules would require users to use a combination of upper- and lowercase letters, as well as numbers and symbols.

The other key factor in meeting

E-Authentication strength requirements for Level 1 and 2 passwords is the life span of the password (how often it must be changed) and what restrictions are placed on failed log-in attempts. A system that blocks log-in for one minute following three failed attempts effectively limits an automated attack to three tries per minute, effectively extending the allowable life of a password.

A system also could block out a password and require that it be changed after the total number of failed attempts estimated by its level of entropy had been reached.

These numbers refer to “guessing entropy,” which is a measure of the average amount of work required to guess the password of a single targeted user. Another type, “min-entropy,” measures the difficulty of guessing the easiest single password in a group of users.

For details on the math and other variables involved in figuring password entropy, check out Appendix A of SP 800-63.

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected