Password Strength Guide
Password entropy, crack times, and what actually makes a password strong.
Reference
Entropy basics
- Bits of entropy
- log₂(possible combinations)
- Lowercase only (26)
- 4.7 bits per char
- Alphanumeric (62)
- 5.95 bits per char
- With symbols (~94)
- 6.55 bits per char
- Diceware (7776 word list)
- 12.9 bits per word
Rough crack times (offline, 10 billion guesses / sec)
| Password | Entropy | Crack time |
|---|---|---|
| "password" | 27 bits | instant |
| "P@ssw0rd1" | 43 bits | minutes (dictionary) |
| 12 lowercase random | 56 bits | ~2 hours |
| 14 alphanum random | 83 bits | 300 years |
| 16 mixed + symbols | 105 bits | 1 billion years |
| 4-word Diceware | 51 bits | ~72 days |
| 6-word Diceware | 77 bits | 4 000 years |
What actually helps
- Length beats complexity. 20 random lowercase letters is stronger than 8 weird symbols.
- Use a password manager. Random 20+ char passwords per site.
- Enable MFA. Password compromises happen; MFA blocks the attack.
- Check against breaches. Have I Been Pwned's k-anonymity API, or 1Password Watchtower.
- Avoid predictable patterns. Substitutions (@ for a) add almost no entropy.
Notes
- Bcrypt/argon2/scrypt slow per-guess rates down by 10⁵ – 10⁶×; hardware attacks on fast hashes (MD5, SHA-1) are orders of magnitude faster.
- NIST SP 800-63B dropped the "rotate every 90 days" rule in 2017 — rotation without compromise is counterproductive.
Last updated: