How do you calculate the cryptographic strength (entropy) of a random password or key in bits?
Multiply the bits contributed per character by the number of characters, where bits-per-character = log₂(alphabet size). So a 6-digit PIN ≈ 20 bits, a 20-character hex string = 80 bits, and 22 Base64 characters ≈ 128 bits.
* Bigger alphabet means more bits per character; multiply by length for the total. *
Entropy counts how many equally-likely possibilities an attacker must search, expressed as a power of two. For a string of random symbols it is simply:
$$\text{strength (bits)} = n \times \log_2(\text{alphabet size})$$
| Character set | Alphabet size | Bits per character | Characters for 128 bits |
|---|---|---|---|
| Digits (0–9) | 10 | 3.32 | ~39 |
| Hex (0–9, A–F) | 16 | 4 | 32 |
| Letters (A–Z) | 26 | ~4.7 | ~28 |
| Letters + digits | 36 | ~5.17 | ~25 |
| Base64 | 64 | 6 | ~22 |
Worked examples:
- A 6-digit bank PIN: $6 \times 3.32 \approx 20$ bits — trivial to brute-force (a million tries), which is why cards limit attempts.
- A 20-character hex secret (e.g.
EB832A10B5A8221D6E7E): $20 \times 4 = 80$ bits. - A 20-character Base64 password: $20 \times 6 = 120$ bits — genuinely strong.
The crucial caveat: this formula assumes each character is chosen uniformly at random. A human-chosen password with the same length has far less entropy, because words, names, and patterns collapse the real search space — which is the whole reason password managers and long random passphrases exist.
Go deeper:
Password strength (Wikipedia) — the entropy formula and worked examples.