Capterra Glossary
Password entropy measures how difficult it is for unauthorized parties, such as malicious cyberhackers, to guess a userʻs password. Password entropy is often expressed in bits and calculated by finding the entropy per character. The entropy per character is log base 2 of the number of characters in the character set used, multiplied by the number of characters in the chosen password. The National Institute of Standards and Technology (NIST) recommends that users protect their accounts by using a certain set of guidelines for user-selected passwords with 30 bits of entropy. This guideline states that users should use a minimum of eight characters selected from a 94 character set. User passwords should include at least one upper case letter, one lower case letter, one number, and a special character. The NIST discourages using common dictionary words or permutations of oneʻs username as an account password.
Small and midsize businesses can use password entropy to mitigate the threat of cyberhackers. Cyberhackers can access user accounts by simply guessing, by implementing a computer program that submits dozens of password guesses per minute based on mathematical probabilities, or by digging through a userʻs online presence to uncover common data points used in passwords. Strong passwords lessen the likelihood that cyberhackers will gain access to employee accounts, which is why a large number of small and midsize organizations require their employees to pick passwords that follow the NIST password guidelines.