Most password rules force you to use uppercase, lowercase, numbers, and symbols, presumably to make passwords harder to crack. But the math tells a different story: length matters more than complexity. A long simple passphrase beats a short complex password every time.

The entropy formula

Password strength is measured in bits of entropy — how much randomness it contains. The formula:

Entropy = length × log₂(character_set_size)

  • Lowercase only: 26 chars → log₂(26) = 4.7 bits per char
  • + uppercase: 52 chars → 5.7 bits per char
  • + digits: 62 chars → 5.95 bits per char
  • + symbols: 94 chars → 6.55 bits per char

Doubling the character set adds only 1 bit per character. Doubling the length doubles total entropy.

Worked examples

"P@ssw0rd!" (9 chars, all character types):

  • Length: 9
  • Bits per char: 6.55
  • Total entropy: 9 × 6.55 = 59 bits

"correcthorsebatterystaple" (25 chars, lowercase only):

  • Length: 25
  • Bits per char: 4.7
  • Total entropy: 25 × 4.7 = 117 bits

The simple-but-long passphrase has nearly 2× the entropy of the complex-but-short one. Crack times differ by 2^58 = 2.9 × 10¹⁷.

Why complexity helps less than expected

The "right" math says complexity helps. But real attackers don't try every combination randomly. They try common patterns first:

  • Dictionary words
  • Common substitutions (0 for o, @ for a)
  • Numbers added at the end
  • Capital first letter

So "P@ssw0rd!" is checked very early in any attacker's password list. Its theoretical 59 bits of entropy is functionally maybe 25 bits because the structure is predictable.

"correcthorsebatterystaple" — random words from a dictionary — escapes this entirely. Attackers can't guess your specific 4-word combination from a 7,776-word dictionary.

The XKCD passphrase

The webcomic XKCD popularized this exact insight (xkcd.com/936). The math:

  • 4 random words from a 7,776-word dictionary
  • Entropy: 4 × log₂(7776) = 4 × 12.93 = 51.7 bits
  • Crack time at 1 trillion guesses/sec: 51 years

Compare to "Tr0ub4dor&3":

  • Length 11, mixed character types: 11 × 6.5 = 71 bits theoretical
  • But with predictable patterns: ~28 bits practical
  • Crack time at 1 trillion guesses/sec: 3 days

Same difficulty to remember; passphrase is 1000× harder to crack.

Practical password rules

  1. Length first. Aim for 16+ characters. Each character beyond 12 is more valuable than any complexity addition.
  2. Random over predictable. Dictionary words from a list of 5,000+ random words beat clever substitutions.
  3. Use a password manager. Generates 20+ char random strings, stores them, autofills. The single most-effective security upgrade most people can make.
  4. Don't reuse passwords. A breach at one site shouldn't compromise others.
  5. Enable 2FA where available. Even a weak password becomes hard to crack with 2FA.

The 8-character minimum is outdated

Many sites still enforce 8 character minimums with required complexity. This is bad security advice in 2026. Modern recommendations:

  • Minimum: 12 characters
  • Recommended: 16 characters
  • For sensitive accounts: 20+ characters with full character variety

NIST removed the "must include special characters" recommendation in 2017. Length matters more than character variety.

Online vs offline attacks

Different threat models, different math:

Online attack: attacker sends guesses to a login form. Throttled by rate limits, account lockouts, CAPTCHA. Maybe 100–10,000 guesses/sec.

Offline attack: attacker has the password hash (from a breach). Limited only by hardware. Modern GPUs do 10 billion+ MD5 guesses/sec, ~100 million bcrypt guesses/sec.

Online attacks: even moderate-strength passwords (60 bits) are practically uncrackable.

Offline attacks: weak passwords (40 bits) are crackable in hours. Need 80+ bits to be confident.

This is why 2FA matters — it makes online attacks the only path. With 2FA, even a weak password buys you serious protection.

Common passwords to absolutely avoid

The "10 most common passwords" lists from breach data include: 123456, password, qwerty, 12345678, 111111, 1234567, sunshine, qwerty123, admin, letmein. These are tried in seconds.

Substitutions don't help: "P@$$w0rd!" is on these lists too.

Avoid: dictionary words alone, names, dates, sports teams, sequential keyboard patterns, phone numbers.

The password manager argument

You can't remember 100 unique 20-character passwords. Nobody can. So either:

  1. Use the same password (or variations) on multiple sites — security risk.
  2. Use weak passwords you can remember — security risk.
  3. Use a password manager — generated unique passwords, auto-fill, no memorization needed.

Modern password managers (1Password, Bitwarden, Dashlane) are roughly free for personal use and add seconds, not minutes, to your daily routine.

Estimate strength

Our password strength checker calculates entropy from length and character classes and shows expected crack times for both online and offline attacks. Useful for understanding what "strong password" actually means quantitatively.