Cryptomarmot

Français FR

The marmot's password meta-generator

Introduction

Entropy, expressed in bits, measures a password's unpredictability: the higher it is, the more resistant it is to attacks. It is the reference measure in standards such as NIST SP 800-63B and ANSSI guidelines.

This value is however context-dependent: it varies with the password's lifetime and the authentication mechanisms in place — particularly the presence of MFA. The reference table below gives some benchmarks.

Reference

Recommended entropy thresholds by use case, based on NIST SP 800-63B and industry best practices.

Scenario Min entropy Rationale
Single-use password ~25 bits Very short exposure window
Online account with MFA ~45 bits MFA compensates — online attack only
Local laptop (offline) ~45 bits Physical access required, slow hash
Online account without MFA ~65 bits DB leak possible, offline attack risk
Admin / root account ~85 bits High-value target, elevated privileges
Disk / backup encryption ~90 bits Offline GPU, highest stakes, long lifetime

Generate a password

Practical tips

  • Generate several passwords and pick the one you like — easy to type and remember.
  • Prefer passphrases if you memorise them better — this is also ANSSI's recommendation.
  • Use a password manager — it generates, stores and remembers everything for you.
  • Passwords built from human patterns (Pa$$w0rd, name + date, memorable phrases) are vulnerable to dictionary attacks — even if they look complex. The marmot recommends using only purely and strictly random passwords.
  • No generic algorithm can calculate or guarantee the real entropy of a password based on memorisation heuristics: the entropy shown by this tool assumes purely random generation.

References

The entropy displayed is calculated using Shannon's entropy formula, applied to uniform random selection:

Random password : H = L × log₂(N)

Passphrase : H = W × log₂(N)

Where L = length, W = word count, N = pool size (characters or words). This formula assumes perfectly uniform random selection — an assumption met by using a CSPRNG (OsRng on the server, the secrets module in the Python script).

  • Claude E. Shannon, A Mathematical Theory of Communication, Bell System Technical Journal, 1948 — theoretical foundation of entropy measurement.
  • NIST SP 800-63B — Digital Identity Guidelines: explicitly applies this formula to the assessment of memorised secrets.
  • EFF Large Wordlist — 7,776-word list used for passphrases, giving log₂(7,776) ≈ 12.9 bits per word.