The entropy of a password is the number of yes/no questions an attacker has to ask one after the other to first narrow down and finally guess a password he wants to guess (“hack”). Since the attacker usually does not get a direct answer to each of these yes/no questions, he has to combine the yes/no questions. With as few as 40 yes/no questions, he has to try out more than 1 trillion possible passwords.