Password Entropy Explained — Why Length Beats Complexity
"Strong password" sounds subjective, but it is not — there is a number behind it. Entropy, measured in bits, tells you exactly how hard a password is to guess, and once you can compute it, a lot of common advice turns out to be backwards. This post walks through the formula, some worked examples, a cracking-time table at realistic GPU speeds, and the giant caveat that makes most human-made passwords far weaker than the math suggests.
The Formula: bits = length × log2(pool)
For a truly random password, each character is an independent choice from a pool of possible characters. The entropy in bits is:
entropy (bits) = length × log2(pool size) Pool sizes: lowercase only (a-z) 26 → 4.70 bits/char lower + upper (a-zA-Z) 52 → 5.70 bits/char lower + upper + digits 62 → 5.95 bits/char all printable ASCII w/ symbols 94 → 6.55 bits/char
Each additional bit doubles the search space. An attacker needs on average 2^(bits−1) guesses to find the password. Notice something in that table: going from lowercase-only to the full symbol set — the thing complexity rules force on you — gains less than 2 bits per character. Adding one more character gains 4.7 to 6.55 bits. Length wins, every time.
Worked Examples
8 chars, lowercase: 8 × log2(26) = 8 × 4.70 ≈ 37.6 bits 8 chars, all 94 symbols: 8 × log2(94) = 8 × 6.55 ≈ 52.4 bits 12 chars, lower+upper+dig: 12 × log2(62) = 12 × 5.95 ≈ 71.4 bits 16 chars, lower+upper+dig: 16 × log2(62) = 16 × 5.95 ≈ 95.3 bits 16 chars, all 94 symbols: 16 × log2(94) = 16 × 6.55 ≈ 104.9 bits 20 chars, lowercase only: 20 × log2(26) = 20 × 4.70 ≈ 94.0 bits
The comparison worth staring at: an 8-character password using every symbol on the keyboard reaches ~52 bits, while a 16-character mixed-case alphanumeric password reaches ~95 bits — and 20 lowercase letters match it with no symbols at all. Doubling length roughly doubles the bits; upgrading the character set nudges them.
What Those Bits Mean at GPU Speeds
How fast guesses happen depends entirely on how the password was hashed. A single modern GPU manages very roughly 100 billion MD5 guesses per second, around 10 billion for SHA-256, but only tens of thousands per second against a properly configured bcrypt. Assume a serious attacker with a rig of ~10 GPUs against a fast hash (10^12 guesses/second) — the pessimistic case:
Entropy Search space Avg. time at 10^12 guesses/sec 37.6 bits ~2.1 x 10^11 ~0.1 seconds 52.4 bits ~6.1 x 10^15 ~50 minutes 71.4 bits ~3.2 x 10^21 ~51 years 95.3 bits ~4.9 x 10^28 ~780 million years 104.9 bits ~3.9 x 10^31 ~620 billion years
The cliff between 52 and 71 bits — minutes versus decades — is why 12 random characters is a sensible floor and 16 is a comfortable default. And remember these times assume a fast, unsalted hash; sites that use bcrypt or Argon2 slow every guess by a factor of 10,000+ (see bcrypt vs SHA-256).
The Catch: Humans Destroy Theoretical Entropy
The formula only holds when every character is chosen uniformly at random. Humans do not do that. "Trustno1!" looks like a 9-character mixed password worth ~59 bits, but an attacker does not guess it character by character — they guess it as dictionary word + digit + symbol, a pattern with maybe 20-25 bits of real-world entropy. Cracking rulesets encode human habits directly:
- Capital letter goes first, digits and symbols go last
- Leet substitutions (e→3, a→@) are tried automatically for every dictionary word
- Keyboard walks (qwerty, 1qaz2wsx) and dates (birthdays, years) are in every wordlist
- Passwords from previous breaches — billions of them — are tried before any brute force begins
The honest way to state it: entropy is a property of the process that generated the password, not of the string itself. A password that came out of a cryptographically secure generator has the entropy the formula says. A password a human composed has the entropy of the human's decision process — usually a tiny fraction of the theoretical figure, no matter how random it looks.
Honest Diceware Math
Passphrases get the same treatment. A diceware passphrase picks words uniformly at random from a list of 7,776 words (five dice rolls per word), so each word contributes log2(7776) ≈ 12.9 bits regardless of how long the word is:
4 words: 4 × 12.9 ≈ 51.7 bits (okay for throttled online logins) 5 words: 5 × 12.9 ≈ 64.6 bits (decent) 6 words: 6 × 12.9 ≈ 77.5 bits (strong — good master password) 7 words: 7 × 12.9 ≈ 90.4 bits (excellent)
The honesty matters in both directions. "correct horse battery staple" style phrases only earn their bits if the words came from actual dice or a CSPRNG — a phrase you thought up ("my favourite chai stall in Hyderabad") is a sentence, and sentences follow grammar, which attackers model. And note the entropy is per word, not per letter: a 6-word, 30-character passphrase has ~77 bits, less than a 16-character random string's ~105. That is fine — the passphrase's job is to be memorable, and 77 bits is plenty. The random string's job is density, because a password manager is typing it.
Practical Targets
- Regular website accounts — 16-character generated passwords (~100 bits); overkill is free when a manager remembers them
- Master password / disk encryption — 6+ word diceware passphrase (77+ bits), memorised
- WiFi, shared secrets, API keys — 20+ generated characters; nobody types these often
- Anything below ~50 bits — treat as protection against casual guessing only, not against an offline attacker
Frequently Asked Questions
Password entropy measures unpredictability in bits. For a truly random password, entropy = length × log2(pool size), where pool size is the number of possible characters. Each additional bit doubles the number of guesses an attacker needs on average.
For accounts protected by online rate limiting, 40-50 bits is workable. For anything that could face offline cracking — password manager master passwords, disk encryption — aim for 75 bits or more. A random 16-character mixed password (~104 bits) or a 6-word diceware passphrase (~77.5 bits) both clear that bar.
Not much. Growing the character pool from 62 to 94 adds only about 0.6 bits per character, while each extra character adds 5.95-6.55 bits. Four extra lowercase letters beat swapping every character class in a short password.