All articles
Fundamentals

What Is Entropy and Why It Matters for Secrets

Generate Secret Keys team June 4, 2026 6 min read

When people say a password or key is "strong," what they really mean — whether they know it or not — is that it has high entropy. Entropy is the single most important property of any secret. Understand it, and every other piece of advice about keys, passwords, and tokens starts to make sense.

Entropy in plain terms

Entropy measures unpredictability: how many equally likely values a secret could have been, expressed in bits. A secret with n bits of entropy has 2n possible values, so an attacker must try up to 2n guesses to be sure of finding it. Each extra bit doubles the work. That exponential growth is why a few more bits matter so much.

How entropy is calculated

For a value chosen randomly from a set of symbols, entropy is:

bits = length × log2(alphabet size)
  • A 12-character lowercase string: 12 × log2(26) ≈ 56 bits.
  • A 12-character mixed-case + digits string: 12 × log2(62) ≈ 71 bits.
  • 16 random bytes (a 128-bit key): exactly 128 bits, regardless of how it's displayed.

Crucially, this only holds when each symbol is chosen randomly and independently. A 12-character password you invented yourself has far less entropy than the formula suggests, because human choices are predictable.

Useful benchmarks

  • < 50 bits — weak; crackable quickly.
  • ~64 bits — borderline; fine for low-value, rate-limited logins with 2FA.
  • 80–100 bits — strong for most user secrets.
  • 128 bits — the modern security baseline; beyond brute force.
  • 256 bits — the comfortable default for long-lived keys and JWT/encryption secrets.

Where entropy comes from

Entropy must originate from a genuinely unpredictable source — a cryptographically secure random number generator. If your "random" value comes from a weak generator, the displayed length lies about its true strength. This is exactly why Math.random() must never be used for secrets.

How entropy quietly leaks away

  • Human-chosen values. Patterns, words, and substitutions slash effective entropy.
  • Truncating a key to "make it shorter" throws bits away.
  • Restricted alphabets (e.g. digits only) need much greater length to reach the same strength.
  • Reuse. A strong secret reused across systems is only as safe as the weakest place it lives.

Measure it yourself

The Analyzer tab estimates the entropy of any value you paste, flags weak patterns, and rates its strength — a quick way to sanity-check a secret before you ship it.

Curious how your secrets score? Paste a value into the analyzer and see its estimated entropy instantly.

Open the analyzer