DailyTools
All articles
SecurityApril 21, 20269 min read

Password Strength Explained: What Actually Makes a Password Secure?

Learn the science behind password strength — entropy, character sets, length vs. complexity, and why your password manager matters more than you think.

DT
DailyTools Editorial · About

The password strength meter on most websites is lying to you. That green bar doesn't measure how hard your password is to crack — it measures whether you hit the right character class checkboxes. A password that satisfies 'uppercase + lowercase + digit + symbol' can still be trivially cracked in seconds if it follows predictable patterns. Entropy is the actual measurement that matters.

Entropy: the one number that actually matters

Password entropy measures unpredictability in bits. A password with N bits of entropy requires an attacker to try up to 2^N combinations to guarantee a brute-force crack. Every additional bit doubles the search space. Add 10 bits and the attacker needs to try 1,024x as many guesses.

Entropy is calculated from two variables: the character set size (how many possible characters at each position) and the password length. Length has a disproportionate impact.

text
Entropy (bits) = log2(character_set_size ^ password_length)
               = password_length × log2(character_set_size)

Character set sizes:
  Lowercase letters only (a-z):           26 characters
  Lowercase + uppercase (a-z, A-Z):       52 characters
  Letters + digits:                        62 characters
  Letters + digits + common symbols:      94 characters (printable ASCII)

Examples:
  8 chars, lowercase only:  8 × log2(26) = 8 × 4.70 ≈ 37.6 bits  (weak)
  8 chars, full ASCII:       8 × log2(94) = 8 × 6.55 ≈ 52.4 bits  (moderate)
  16 chars, full ASCII:     16 × log2(94) = 16 × 6.55 ≈ 104.8 bits (strong)
  4 random words (passphrase): ~44 bits per word × variation ≈ 50-60 bits

Length wins. Complexity is mostly theater.

The entropy math is clear: adding one character to a password does more for security than adding a new character class. The password complexity theater — upper, lower, digit, symbol — exists because it's easy to enforce at the input level. It's not because it's the most effective defense. Consider:

  • "P@ssw0rd!" — 9 characters, full symbol set — approximately 59 bits of theoretical entropy. But pattern-based substitutions (@ for a, 0 for o) are in every cracker's ruleset, so the real-world entropy is much lower.
  • "correcthorsebatterystaple" — 25 lowercase characters — approximately 117 bits of actual entropy (assuming truly random word selection from a large dictionary).
  • A 20-character lowercase random string — approximately 94 bits of entropy — is stronger than an 8-character password using every possible symbol.

NIST's Digital Identity Guidelines (SP 800-63B) now explicitly recommends prioritizing length over complexity rules. Minimum 8 characters (ideally 15+), allow up to 64, check against known breach lists, and drop the mandatory complexity requirements that train users to use predictable patterns like `Capital1!`.

How real attacks work (not how movies show them)

Theoretical entropy assumes uniform randomness. Real attacks don't work that way. If you have a hash of an 8-character 'random' password chosen by a human, it's usually cracked in minutes because humans aren't random.

  • Brute force: at 10 billion guesses/second (a single modern GPU on MD5), 52-bit entropy takes under 15 minutes on average. That's why slow password hashing algorithms like bcrypt exist.
  • Dictionary + rules: crackers don't guess randomly. They try dictionary words with known substitution rules — capitalize, add numbers, swap @ for a. 'P@ssw0rd1' is in every cracker's first million guesses.
  • Credential stuffing: username/password pairs from previous breaches, tried against other services. If you reuse passwords, one breach compromises every account.
  • Rainbow tables: pre-computed hash lookup tables, defeated by salting. This is why every modern password hashing library (bcrypt, Argon2) salts automatically.

What strength checkers actually measure (and what they miss)

Simple strength meters count character classes and length. That's why 'Aaaa1!' gets a medium score even though it's trivially guessable. Better checkers use zxcvbn (open-sourced by Dropbox in 2012), which actually estimates cracking time based on real attack patterns:

  • Checks against a large dictionary of common passwords and leaked credentials
  • Detects keyboard patterns (qwerty, asdf), repeats (aaaa), and sequences (1234)
  • Returns an estimated crack time — not a vague score — for different attack scenarios (online throttled vs. offline fast hash)

What actually matters in practice

  • Use a password manager: Bitwarden, 1Password, or KeePassXC. It's the only realistic way to have a unique, random password for every service.
  • 16+ characters for new passwords: at 94 possible characters, 16 characters gives ~105 bits of entropy — well beyond what current hardware can crack offline in any reasonable timeframe.
  • Enable MFA everywhere: even a weak password becomes much harder to exploit when the attacker also needs your phone or TOTP app.
  • Never reuse passwords: your email password is especially critical — it controls password resets for everything else, making it the master key to your digital life.
  • Check haveibeenpwned.com: if your email appears in a known breach, rotate those passwords immediately.

Unpopular opinion: the single most impactful security upgrade for most people isn't a more complex password — it's a password manager and eliminating reuse. A unique mediocre password beats a strong password you use everywhere. Credential stuffing attacks are why.

Try the free tool referenced in this article

Password Strength Checker
Back to all articles