Entropy basics
| Bits of entropy | log₂(possible combinations) |
|---|---|
| Lowercase only (26) | 4.7 bits per char |
| Alphanumeric (62) | 5.95 bits per char |
| With symbols (~94) | 6.55 bits per char |
| Diceware (7776 word list) | 12.9 bits per word |
Rough crack times (offline, 10 billion guesses / sec)
| Password | Entropy | Crack time |
|---|---|---|
| "password" | 27 bits | instant |
| "P@ssw0rd1" | 43 bits | minutes (dictionary) |
| 12 lowercase random | 56 bits | ~2 hours |
| 14 alphanum random | 83 bits | 300 years |
| 16 mixed + symbols | 105 bits | 1 billion years |
| 4-word Diceware | 51 bits | ~72 days |
| 6-word Diceware | 77 bits | 4 000 years |
What actually helps
- Length beats complexity. 20 random lowercase letters is stronger than 8 weird symbols.
- Use a password manager. Random 20+ char passwords per site.
- Enable MFA. Password compromises happen; MFA blocks the attack.
- Check against breaches. Have I Been Pwned's k-anonymity API, or 1Password Watchtower.
- Avoid predictable patterns. Substitutions (@ for a) add almost no entropy.
Notes
- Bcrypt/argon2/scrypt slow per-guess rates down by 10⁵ – 10⁶×; hardware attacks on fast hashes (MD5, SHA-1) are orders of magnitude faster.
- NIST SP 800-63B dropped the "rotate every 90 days" rule in 2017 — rotation without compromise is counterproductive.
Was this article helpful?