Password Entropy & Security

When security experts talk about “strong” passwords, they are really talking about entropy: how unpredictable your password is. The higher the entropy, the harder it is for an attacker to guess it by brute force.

What Is Entropy?

Entropy is measured in bits. Each bit doubles the number of possible passwords. So an 8-bit password has 256 possible combinations; a 16-bit password has 65,536. The formula is: entropy = length × log₂(size of character set). So if you use only lowercase letters (26 characters), each character adds about 4.7 bits. Add uppercase, digits, and symbols and you expand the character set — and each character adds more bits.

Why Character Set Matters

A 12-character password using only lowercase letters has roughly 56 bits of entropy. The same length using uppercase, lowercase, digits, and symbols (e.g. 72 characters) has about 74 bits. That’s a huge difference: 2^74 guesses is astronomically larger than 2^56. That’s why our password generator lets you include numbers and symbols — it increases the pool of characters and thus the entropy per character.

Brute Force and Time

Attackers try passwords by the billions per second. A weak 8-character password (letters only) can fall in minutes. A 12-character password with mixed character types can take centuries at current computing speeds. Length and variety together are what make a password resilient. Randomness matters too: “password123” is long but predictable; a random string of the same length is far stronger.

Using a Random Password Generator

A good password generator uses a cryptographically secure random source (like the Web Crypto API) to pick each character from your chosen set. That gives you maximum entropy for the length you choose. Use our Password Generator to create long, random passwords — and store them in a password manager so you don’t have to remember them.