Password Strength: What Actually Makes a Password Secure?

The password advice most people follow — add a capital letter, a number, and a symbol — is largely security theater. A password like "Password1!" is technically complex but cracked almost instantly by any competent attacker. What actually makes a password strong is entropy: the mathematical measure of unpredictability.

Our  scores passwords on real entropy metrics. This guide explains the science behind the score.

What entropy means for passwords

Entropy in information theory measures how many possible values a piece of information could take. For passwords, it determines how many guesses an attacker would need to crack it through brute force. Entropy is measured in bits — each bit doubles the number of possible values.

Formula: Entropy = log2(charset_size ^ length) = length x log2(charset_size)

Character set	Size	Entropy per character
Digits only (0-9)	10	3.32 bits
Lowercase letters	26	4.70 bits
Lower + upper	52	5.70 bits
Alphanumeric	62	5.95 bits
Full ASCII printable	95	6.57 bits

Length matters far more than complexity

An 8-character password using the full ASCII character set has about 52.5 bits of entropy. A 12-character password using only lowercase letters has about 56.4 bits — and is far easier to remember.

Password	Length	Charset	Entropy	Time to crack*
password	8	26	37.6 bits	Seconds
Password1!	10	72	61.5 bits	Hours (pattern known)
correcthorsebattery	19	26	89.3 bits	Centuries
xK9#mP2&qL	10	95	65.7 bits	Weeks-months
correct-horse-battery-staple	28	27 (+space)	131 bits	Longer than the universe

*Assuming 10 billion guesses per second — modern GPU cracking rates for offline attacks.

The four-word passphrase beats the complex 10-character password by orders of magnitude. Length wins.

Why common complexity rules fail

Attackers do not try every possible character combination randomly. They use pattern-aware cracking that knows:

• Most people capitalize the first letter
• Most people put numbers at the end
• Most people use ! or @ or 1 as their "special character"
• Common words with substitutions (p@ssw0rd) are in every dictionary

When you follow the standard complexity rules, you reduce the effective search space dramatically because your pattern is predictable. A truly random 8-character password from the full character set is stronger than a predictably complex one.

What makes a password genuinely strong

1. Length: 16+ characters for important accounts. 20+ for critical ones.
2. Randomness: Generated by a password manager or dice, not chosen by you. Human brains are terrible at generating entropy.
3. Uniqueness: Never reused across sites. When one site is breached, credential stuffing attacks try your password everywhere else.
4. Not in breach databases: Millions of real passwords from data breaches are in cracking dictionaries. Common words, even complex-looking ones, may be there.

The case for passphrases

A passphrase is four or more random words concatenated: "correct horse battery staple" (from XKCD 936, now famous). This approach works because:

• High entropy from length: 4 words from a 7,776-word Diceware list = 51.7 bits. Five words = 64.6 bits.
• Human-memorable: you can actually type it
• Not pattern-vulnerable the way complex rules are

For most purposes, use a password manager to generate and store fully random strings. For passwords you must memorize (like your password manager's master password), a 5-6 word Diceware passphrase is the best balance of security and memorability.

What two-factor authentication actually changes

Even a weak password becomes much harder to compromise with 2FA enabled — an attacker needs both your password and access to your second factor (phone, hardware key, or TOTP app). For any account that matters, enable 2FA regardless of password strength. It is the single highest-impact security action most people can take.

Check how strong any password is with our  — it scores entropy, flags common patterns, and estimates cracking time under real-world attack conditions.