Sloppy article Proton put out recently: What is password entropy? | Proton

Says just the word **Bankruptcies** has 68 bits of entropy, which is definitely overstated.

“Generally, a strong or high-entropy password scores at least 75 bits. Anything measuring fewer than 72 bits is reasonably easy for a machine to crack.”

There’s not much difference between 76 bits of entropy and 71 bits of entropy, yet they claim the former is strong while the latter is reasonably easy to crack.

"To recap, a truly secure password contains, for example:

**A passphrase of roughly 20 characters**"

A passphrase of 20 characters would be very weak.

Then they state:

“The example from above, **HelpFidoSaveTony33!**, meets all these requirements and creates a password with roughly 117 bits of entropy, which is currently impossible to crack by brute force.”

That definitely does not have 117 bits of entropy and isn’t impossible to crack by brute force.

KeePassXC has one of the best generators and entropy calculators. It says it has under 52 bits of entropy. To achieve an excellent entropy store in KPXC, you need at least 100 bits of entropy. Importantly, KPXC calculates entropy differently depending on whether you select password or passphrase. If the generator knows a passphrase is used, entropy is much lower for a given length, as it should be. Many times people believe their passphrases are stronger than they are because they run them through entropy calculators assuming they are passwords.

In general, you would think Proton would have had someone more informed and more senior review this important blog post from October of 2023?

By the way, KPXC says **Bankruptcies** has only 16 bits of entropy.