LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How do you calculate the cryptographic strength (entropy) of a random password or key in bits?

Multiply the bits contributed per character by the number of characters, where bits-per-character = log₂(alphabet size). So a 6-digit PIN ≈ 20 bits, a 20-character hex string = 80 bits, and 22 Base64 characters ≈ 128 bits.

Bits of entropy per random character, by encoding

* Bigger alphabet means more bits per character; multiply by length for the total. *

Entropy counts how many equally-likely possibilities an attacker must search, expressed as a power of two. For a string of random symbols it is simply:

$$\text{strength (bits)} = n \times \log_2(\text{alphabet size})$$

Character set Alphabet size Bits per character Characters for 128 bits
Digits (0–9) 10 3.32 ~39
Hex (0–9, A–F) 16 4 32
Letters (A–Z) 26 ~4.7 ~28
Letters + digits 36 ~5.17 ~25
Base64 64 6 ~22

Worked examples:

  • A 6-digit bank PIN: $6 \times 3.32 \approx 20$ bits — trivial to brute-force (a million tries), which is why cards limit attempts.
  • A 20-character hex secret (e.g. EB832A10B5A8221D6E7E): $20 \times 4 = 80$ bits.
  • A 20-character Base64 password: $20 \times 6 = 120$ bits — genuinely strong.

The crucial caveat: this formula assumes each character is chosen uniformly at random. A human-chosen password with the same length has far less entropy, because words, names, and patterns collapse the real search space — which is the whole reason password managers and long random passphrases exist.

Go deeper:

From Quiz: KRYPTOG / Key Sizes and Conclusion | Updated: Jul 14, 2026