Password Strength Explained: Entropy, Crack Times & Best Practices
A deep dive into what makes passwords strong, how entropy works, and how modern attackers crack passwords -- so you can defend against them.
What Makes a Password Strong?
Password strength is not about memorizing arcane rules like "must include one uppercase letter, one number, and one special character." Those rules, still enforced by countless websites, were popularized in a 2003 NIST document that its own author later called a mistake. Real password strength comes down to one fundamental concept: entropy.
Entropy, borrowed from information theory, measures the amount of randomness or unpredictability in a password. The higher the entropy, the more guesses an attacker would need to try before stumbling upon the correct password. It is measured in bits, and every additional bit of entropy doubles the number of possible combinations an attacker must search through.
How Entropy Is Calculated
For a randomly generated password, entropy is straightforward to compute. The formula is:
Entropy Formula
Where L is the password length and R is the size of the character pool (the number of possible characters for each position).
For example, a 12-character password using lowercase letters only (26 characters) has entropy of 12 * log2(26) = 12 * 4.7 = 56.4 bits. The same length password using lowercase, uppercase, digits, and 32 symbols (94 characters) has entropy of 12 * log2(94) = 12 * 6.55 = 78.6 bits. That is a significant increase, but notice that simply increasing the length to 17 characters with lowercase only gives 17 * 4.7 = 79.9 bits -- exceeding the 94-character pool result. This illustrates a critical insight:length is more powerful than character diversity.
Character Pool Sizes
Understanding pool sizes helps you make informed decisions about password configuration:
- Digits only (0-9): 10 characters, 3.32 bits per character
- Lowercase only (a-z): 26 characters, 4.70 bits per character
- Lowercase + uppercase: 52 characters, 5.70 bits per character
- Alphanumeric (a-z, A-Z, 0-9): 62 characters, 5.95 bits per character
- Full printable ASCII: 94 characters, 6.55 bits per character
You can experiment with these calculations using our Password Generator, which displays real-time entropy as you adjust the configuration.
Why Length Beats Complexity
Many password policies require a mix of character types but impose short minimum lengths (often 8 characters). This approach is backwards. Consider these two passwords:
Length vs Complexity
The longer, simpler password has 43% more entropy despite using only lowercase letters. Each additional character multiplies the search space exponentially.
The math is clear: adding characters to a password increases its entropy linearly, while expanding the character pool only adds a logarithmic increase. Doubling the length doubles the entropy, but doubling the pool size only adds one bit per character. This is why security experts increasingly recommend long passphrases over short, complex passwords. For more on this approach, see our Diceware Passphrase Guide.
How Crack Time Estimates Work
Crack time is the estimated duration it would take an attacker to brute-force a password given a particular attack speed. The calculation divides the search space (2entropy) by the number of guesses per second, then divides by two to account for the average case (finding the password halfway through the search space).
Attack Speeds
Different attack scenarios operate at vastly different speeds:
- Online, rate-limited (1,000/sec): Web applications with lockouts and CAPTCHAs. The attacker is guessing passwords against a live login form that enforces delays after failed attempts.
- Online, unthrottled (10 billion/sec): Faster online attacks or distributed botnets targeting APIs without rate limiting.
- Offline, slow hash (10 billion/sec): Attacking bcrypt or Argon2 hashes with specialized hardware. These hashing algorithms are intentionally slow to compute.
- Offline, fast hash (1 trillion/sec): Attacking MD5 or SHA-1 hashes with GPUs. These algorithms are designed for speed, which makes them unsuitable for password storage. A modern GPU can compute billions of MD5 hashes per second.
Crack Time by Entropy
| Entropy (bits) | Online (1K/s) | Offline, fast hash (1T/s) |
|---|---|---|
| 40 bits | 17 years | 0.5 seconds |
| 60 bits | 18 million years | 6 days |
| 80 bits | 19 trillion years | 19 years |
| 100 bits | 20 quadrillion years | 20 million years |
| 128 bits | 5.4 * 10^27 years | 5.4 * 10^15 years |
For reference, the age of the universe is approximately 13.8 billion years (1.38 * 10^10).
The important takeaway is that even modest increases in entropy produce enormous increases in crack time. Going from 60 bits to 80 bits -- which only requires a few extra characters -- transforms a password from crackable in days to one that would take decades.
NIST Guidelines (SP 800-63B)
The National Institute of Standards and Technology (NIST) publishes password guidelines that are widely considered the gold standard. Their updated Special Publication 800-63B represents a significant shift from traditional password policies. Here are the key recommendations:
What NIST Recommends
- Minimum 8 characters, prefer 15+: NIST requires a minimum of 8 characters for user-chosen passwords but strongly encourages longer passwords. For machine-generated passwords and passphrases, they recommend even higher minimums.
- Maximum of at least 64 characters: Services should allow passwords of at least 64 characters. Artificially capping password length reduces security for no good reason.
- Allow all printable characters: Including spaces, Unicode, and emoji. Restricting character sets reduces the pool size and therefore reduces entropy.
- Screen against breached password databases: Check new passwords against known compromised passwords (like the Have I Been Pwned database). A password that appears in a breach list has zero effective entropy regardless of its theoretical strength.
- No mandatory rotation: Forced periodic password changes lead to weaker passwords (users pick predictable patterns like "Password1!", "Password2!", etc.). Change passwords only when there is evidence of compromise.
What NIST Discourages
- No composition rules: Do not require specific character types (uppercase, numbers, symbols). These rules cause users to pick passwords like "P@ssword1" -- predictable and weak despite meeting the rules.
- No security questions: Knowledge-based authentication is inherently weak because the answers are often guessable or publicly available.
- No password hints: Hints stored in plaintext effectively leak information about the password.
Common Password Attacks
Understanding how attackers crack passwords helps you appreciate why entropy matters:
Brute Force
The simplest attack: try every possible combination. Against a truly random password, this is the only viable approach, and its effectiveness is directly determined by the password's entropy. Modern GPUs can compute trillions of hash attempts per second for fast algorithms like MD5, making short passwords vulnerable regardless of complexity.
Dictionary Attacks
Instead of trying all combinations, the attacker tries common words and phrases. This is why passwords based on single dictionary words (even with simple substitutions like "p@ssw0rd") are weak. Attackers maintain massive wordlists and rule sets that account for common substitutions, appended numbers, and capitalization patterns.
Credential Stuffing
When a service is breached, the leaked passwords are tested against other services. Because many people reuse passwords, this attack is devastatingly effective. The only defense is to never reuse passwords across services -- which is why password managers and generators like our Password Generator are essential tools.
Rainbow Tables
Precomputed tables mapping hashes to passwords. If a service stores passwords as unsalted hashes (which no modern service should do), an attacker can look up the hash in a rainbow table and instantly recover the password. Salting eliminates this attack vector entirely. For more on how hashing protects passwords, see our article on what hashing is.
Practical Recommendations
Based on current threat models and NIST guidance, here is what we recommend:
- Use a password manager: Generate a unique, random password for every service. You only need to remember one master password (or passphrase).
- Aim for 80+ bits of entropy: This provides a comfortable security margin against even offline attacks with current hardware. A 16-character random password with mixed character types achieves this easily.
- Consider passphrases for memorable passwords: A 5-word Diceware passphrase provides approximately 64 bits of entropy and is far easier to type and remember than a random string. Six words gives approximately 77 bits. See ourDiceware Guide for details.
- Enable two-factor authentication (2FA): Even the strongest password is vulnerable to phishing. 2FA adds a second layer that significantly raises the bar for attackers.
- Use unique passwords for every service: Credential stuffing makes password reuse extremely dangerous. A breach at one service should not compromise all your other accounts.
Try It Yourself
The best way to internalize these concepts is to experiment. Use our Password Generator to create passwords with different configurations and watch how the entropy and crack time estimates change. Try a short complex password versus a long simple one. Generate a passphrase and compare its entropy to a random string of the same length. The numbers will speak for themselves.
Further Reading
- NIST SP 800-63B — Digital Identity Guidelines
NIST authentication standards including password length and composition rules.
- OWASP Password Storage Cheat Sheet
OWASP best practices for hashing and storing passwords securely.
- Have I Been Pwned
Check if passwords or accounts have been exposed in data breaches.