Password Entropy & Security
When security experts talk about “strong” passwords, they are really talking about entropy: how unpredictable your password is. The higher the entropy, the harder it is for an attacker to guess it by brute force.
What Is Entropy?
Entropy is measured in bits. Each bit doubles the number of possible passwords. So an 8-bit password has 256 possible combinations; a 16-bit password has 65,536. The formula is: entropy = length × log₂(size of character set). So if you use only lowercase letters (26 characters), each character adds about 4.7 bits. Add uppercase, digits, and symbols and you expand the character set — and each character adds more bits.
Why Character Set Matters
A 12-character password using only lowercase letters has roughly 56 bits of entropy. The same length using uppercase, lowercase, digits, and symbols (e.g. 72 characters) has about 74 bits. That’s a huge difference: 2^74 guesses is astronomically larger than 2^56. That’s why our password generator lets you include numbers and symbols — it increases the pool of characters and thus the entropy per character.
Brute Force and Time
Attackers try passwords by the billions per second. A weak 8-character password (letters only) can fall in minutes. A 12-character password with mixed character types can take centuries at current computing speeds. Length and variety together are what make a password resilient. Randomness matters too: “password123” is long but predictable; a random string of the same length is far stronger.
The Math of Entropy Explained
To truly understand password strength, we have to look at the math. If you have a character set of size L and a password of length n, the total number of possible combinations is Ln. Entropy (in bits) is the logarithm base-2 of those combinations. For example:
- Lowercase letters (26): log₂(26) ≈ 4.7 bits per character.
- Letters + Digits (62): log₂(62) ≈ 5.9 bits per character.
- Full Keyboard (94): log₂(94) ≈ 6.5 bits per character.
A 10-character password using the full keyboard (94 chars) has 65 bits of entropy. A 15-character password using only lowercase letters has 70 bits. This shows that while variety helps, length is often the more powerful lever for increasing security.
Real-World Crack Times
How do these bits translate to actual security? Here is a rough guide on how long it would take a modern offline "brute force" attack (assuming 100 billion guesses per second) to break passwords of varying entropy:
| Entropy (Bits) | Strength Level | Max Crack Time (Estimated) |
|---|---|---|
| < 40 bits | Very Weak | Fraction of a second |
| 40 - 64 bits | Weak | Minutes to Hours |
| 64 - 80 bits | Fair | Months to Years |
| 81 - 112 bits | Strong | Centuries to Millennia |
| 128+ bits | Excellent | Billions of Years |
Why "Correct Horse Battery Staple" Works
A famous comic from XKCD introduced the idea of "diceware" passwords—using multiple random words instead of one complex string. Because a common dictionary has thousands of words, picking just four random words (e.g., "correct horse battery staple") creates a password with huge entropy that is actually easy for a human to remember.
If you pick from a list of 7,776 words (the classic Diceware list), each word adds about 12.9 bits. A four-word phrase gives you ~52 bits of entropy. A six-word phrase gives you ~77 bits, which is much stronger than most "random" character strings people attempt to invent themselves.
Using a Random Password Generator
A good password generator uses a cryptographically secure random source (like the Web Crypto API) to pick each character from your chosen set. That gives you maximum entropy for the length you choose. Use our Password Generator to create long, random passwords — and store them in a password manager so you don’t have to remember them.
Generate a strong password
Create a random password with the length and character set you need. Runs in your browser — nothing is sent to our servers.
Password Generator