The marmot's password meta-generator
Introduction
Entropy, expressed in bits, measures a password's unpredictability: the higher it is, the more resistant it is to attacks. It is the reference measure in standards such as NIST SP 800-63B and ANSSI guidelines.
This value is however context-dependent: it varies with the password's lifetime and the authentication mechanisms in place — particularly the presence of MFA. The reference table below gives some benchmarks.
Reference
Recommended entropy thresholds by use case, based on NIST SP 800-63B and industry best practices.
| Scenario | Min entropy | Rationale |
|---|---|---|
| Single-use password | ~25 bits | Very short exposure window |
| Online account with MFA | ~45 bits | MFA compensates — online attack only |
| Local laptop (offline) | ~45 bits | Physical access required, slow hash |
| Online account without MFA | ~65 bits | DB leak possible, offline attack risk |
| Admin / root account | ~85 bits | High-value target, elevated privileges |
| Disk / backup encryption | ~90 bits | Offline GPU, highest stakes, long lifetime |
Generate a password
Practical tips
- Generate several passwords and pick the one you like — easy to type and remember.
- Prefer passphrases if you memorise them better — this is also ANSSI's recommendation.
- Use a password manager — it generates, stores and remembers everything for you.
- Passwords built from human patterns (
Pa$$w0rd, name + date, memorable phrases) are vulnerable to dictionary attacks — even if they look complex. The marmot recommends using only purely and strictly random passwords. - No generic algorithm can calculate or guarantee the real entropy of a password based on memorisation heuristics: the entropy shown by this tool assumes purely random generation.
References
The entropy displayed is calculated using Shannon's entropy formula, applied to uniform random selection:
Random password : H = L × log₂(N)
Passphrase : H = W × log₂(N)
Where L = length, W = word count, N = pool size (characters or words). This formula assumes perfectly uniform random selection — an assumption met by using a CSPRNG (OsRng on the server, the secrets module in the Python script).
- Claude E. Shannon, A Mathematical Theory of Communication, Bell System Technical Journal, 1948 — theoretical foundation of entropy measurement.
- NIST SP 800-63B — Digital Identity Guidelines: explicitly applies this formula to the assessment of memorised secrets.
- EFF Large Wordlist — 7,776-word list used for passphrases, giving log₂(7,776) ≈ 12.9 bits per word.