Calculate Entropy?

Hi @anglenora2022,

That's a fantastic question. I thought I was going to write a short answer but it turned out longer than I expected. I hope you don't mind.

Entropy calculation is actually relatively simple. To calculate it you need to know how to determine how many permutations there are for the given password recipe. The amount of entropy defines the amount of randomness that was used in the generation of a password, and since that depends on the password recipe, you need to know the recipe. If I say that my Master Password is 4 words, then that's not enough information to determine the entropy. If I say that my Master Password is a 4-word wordlist password created by 1Password then we can use 1Password's recipe there. The recipe in the case of a wordlist password is very simple: randomly choose 4 words out of the list of ~18000 words. That means there are 18000 * 18000 * 18000 * 18000 (assuming repeats are allowed) permutations. Once you know the number of permutations you can convert that to bits of entropy by doing a log base 2. In the case of a 4 word password generated by our wordlist that comes out to 56 bits of entropy.

If you're using 1Password for Mac, you can actually see this by enabling "Copy Item JSON" in Preferences > Advanced, then choosing an item that contains your randomly generated password, and using the Item > Copy JSON. Paste that into an editor and you'll get something that looks like:

{"sectionName":"P","details":{"password":"reckon ishmael ascot pitfall","sections":[{"title":"Related Items","name":"linked items"}]},"uuid":"nkkkpxyezzaexcwh6enu7lhsem","updatedAt":1527535870,"createdAt":1527535870,"categoryUUID":"005","overview":{"pbe":56.64641721601138,"pgrng":true,"title":"pbe test","ainfo":"May 28, 2018, 2:31:10 PM","ps":75}}

Look for pbe:, and the number after it is the number of bits of entropy. With that you can tweak the generator parameters and come up with different passwords and see how it affects the pbe.

So now the all-too-important question... just how many bits of entropy is enough? That's something that will change over time. What we consider to be a strong password today will not be the same as what we consider strong in a few years because computers will have gotten that much faster. To determine this we have what we currently consider to be a "fantastic strength", i.e. a strength where any stronger doesn't actually bring more value. Right now that's defined as 75 bits. We calculate the strength (ps in the item JSON) as the percentage of the fantastic strength. In my example above that was a strength of 75.

The rules to determine which color or strength title to show is based on the calculated strength:

• [0, 26) : Terrible
• [26, 44) : Weak
• [44, 53) : Fair
• [53, 60) : Good
• [60, 73) : Very Good
• [73, 85) : Excellent
• [85, 100] : Fantastic

I still haven't answered how many bits of entropy is enough. 75 is fantastic, but we don't expect anyone to have a Master Password with 75 bits of entropy. For passwords you're generating for websites, you should try to get as close to fantastic as you can get away with since you won't need to remember them. For your Master Password, if you used our wordlist generator and used a 4 word password from it, you're doing excellent. In general humans are terrible at randomness and a "random" password that we invent from our heads is considered to be no better than about 40 bits, and in most cases is much lower than that. For a Master Password we'd recommend staying at or above that 40 bit mark.

I hope this helps.

Rick