When entering a passphrase in PGP Desktop, a status bar informs the user of the strength of the passphrase being entered. The following document details how PGP Desktop determines the passphrase quality percentage of a passphrase.

 

In general, the longer the bar, the stronger the passphrase. But what does the length of the Passphrase Quality bar actually mean?

The Passphrase Quality bar compares the amount of randomness (entropy) in the passphrase you enter against a true 128-bit random string (the same amount of entropy in an AES128 key).

This is called 128 bits of entropy. (Entropy is a measure of the difficulty in determining a password or key.)

So if the passphrase you create fills up approximately half the Passphrase Quality bar, then that passphrase has approximately 64 bits of entropy. And if your passphrase fills the Passphrase Quality bar, then that passphrase has approximately 128 bits of entropy.

How is the entropy of a particular character measured? The answer is, the bigger the pool of characters there is to choose from when picking a particular character, the more entropy is assigned to the chosen character.

For example, if you are told to choose a numeric PIN, you are restricted to the numbers zero through nine; a total of 10 characters. This is a rather small pool, so the entropy for a chosen character is relatively low.

When you are choosing a passphrase using the English version of PGP Desktop, however, things are different. You have three pools of characters to choose from: uppercase and lowercase letters (52 characters), numbers zero through nine (10 characters), and the punctuation characters on a standard keyboard (32 characters).

When you enter a character, PGP Desktop determines the entropy value for that character based on the pool it is in and applies that value to the Passphrase Quality bar.