The Concept of Entropy

In information theory, Entropy (measured in bits) represents the total amount of randomness in a secret. It tells us how many guesses, on average, it would take to find the correct answer.

The Formula: E = log₂(R^L)

Don't panic. Here is what it means:

• R (Range): The number of possible characters (e.g., 26 for lowercase, 62 for alphanumeric).
• L (Length): How many characters are in the password.

Notice that Length (L) is an exponent. Increasing the length makes the number explosive.

Case Study: Complexity vs Length

These two passwords show why a long phrase beats a short complex one every time:

Why "Tr0ub4dor&3" is Weak

This famous example (from XKCD) shows a password that looks hard. But it uses common "l33t speak" substitutions (0 for o, 4 for a). Hackers have "dictionaries" that include these. Mathematically, it has very low entropy because it's predictable.

The 12-Character Minimum

We recommend 12 characters as a hard minimum because below that, modern GPUs can brute force efficiently. At 12 characters, even with just lowercase letters, the numbers get big enough to be annoying for hackers. At 16, they become nearly impossible.