Most password requirements focus on character types: uppercase, lowercase, numbers, symbols. These rules have been standard for so long that most people follow them automatically without questioning whether they're based on sound security math. Some of these requirements make sense. Some are actively counterproductive. The concept behind all of them is entropy, and understanding it will change how you think about passwords at a fundamental level.
What Password Entropy Measures
Entropy, borrowed from information theory, quantifies unpredictability. Applied to passwords, it tells you how many guesses an attacker must make before they can expect to find the correct one. Higher entropy means more guesses required. The unit is bits: each additional bit doubles the size of the search space.
The formula is: entropy = log2(C^L), where C is the number of possible characters in your character set and L is the password length.
A 10-character password using only lowercase letters has log2(26^10), which equals approximately 47.0 bits of entropy. A 10-character password using the full printable ASCII set (95 characters: lowercase, uppercase, digits, and common symbols) has log2(95^10), which equals approximately 65.7 bits. That 18.7-bit difference makes the second password roughly 2^18 -- about 262,000 times harder to crack -- coming entirely from the wider character set.
Understanding this formula helps you reason about password security without relying on whatever rules a particular site decides to enforce.
Photo by Why Password Length Usually Wins
Here is the result that tends to surprise people: a 16-character lowercase-only password has more entropy than a 10-character password using the full printable ASCII character set.
The comparison: - 16 lowercase letters: log2(26^16) equals approximately 75.4 bits - 10 mixed ASCII characters: log2(95^10) equals approximately 65.7 bits
Length wins by about 9.7 bits, which multiplies the search space by roughly 850. Adding a symbol requirement to an 8-character password buys you less protection than simply making the password three characters longer.
This is the core flaw in many standard password policies. "At least 8 characters, one uppercase, one number, one symbol" produces passwords like "Password1!" which satisfy the rules while following obvious patterns. Modern password cracking tools are built around exactly these patterns. They start with wordlists, apply known substitution rules (@ for a, 3 for e, 1 for l, ! at the end), and iterate through common structures before they even begin a pure brute-force search.
The reason length compounds so effectively is the exponential relationship in the formula. Each additional character multiplies the search space by C, the character set size. Each additional character type only adds a small number of new characters to the pool. At 12 characters, going from lowercase-only (26 chars) to mixed-case (52 chars) gives you log2(52^12) equals approximately 68.3 bits instead of 56.4. That 11.9-bit gain is real, but adding two more lowercase characters to the shorter version (14 characters total) gives you log2(26^14) equals approximately 65.9 bits -- almost the same result from a simpler approach.
The Role of Randomness
Entropy calculations assume the password was generated truly randomly from the stated character set. When that assumption holds, the formula is accurate. When it breaks down, effective entropy is often much lower than the calculation suggests.
Consider a password like "Tr0ub4dor&3". It satisfies most complexity requirements and has appeared in discussions of password security for years. It also appears in password cracking databases because it has a recognizable structure: an English word, systematic letter-to-number substitutions, punctuation appended at the end. An attacker who knows these structural patterns -- and modern cracking tools do -- does not need to exhaustively search all 2^65 combinations. They use targeted rules and find it much faster.
Dictionary attacks start with wordlists containing hundreds of millions of previously breached passwords and apply mutation rules systematically. Rule-based attacks can evaluate billions of pattern variants per second on consumer GPU hardware. These attacks exploit structure, not raw character set size. A structurally predictable password offers far lower practical security than its entropy bits suggest.
The defense is actual randomness. When a password is generated using crypto.getRandomValues() in modern browsers, there is no exploitable pattern. Each character is drawn from a uniform distribution with no dependency on the others. The entropy calculation applies accurately because the assumption it requires is actually satisfied.
"Entropy figures are useful for estimating brute-force resistance, but most modern account compromises do not start with brute force. Phishing, credential stuffing from past breaches, and malware intercept credentials before hashing enters the picture at all. A complete threat model has to account for all of those." - Dennis Traina, founder of 137Foundry
Crack Times and Hashing Algorithms
How entropy translates to actual time-to-crack depends heavily on factors outside the password itself. The most critical is how the site stores the password.
A site using MD5 to store password hashes exposes its users to attacks running at hundreds of billions of guesses per second on consumer GPU hardware. A 65-bit-entropy password falls in a matter of minutes in an offline attack against a stolen MD5 database. A site using bcrypt with a cost factor of 12 drops the attack rate to roughly 100,000 guesses per second on the same hardware. Against bcrypt-12, that same 65-bit-entropy password would take thousands of years to crack on average.
The Hashcat benchmark suite publishes real-world hash rates for every major algorithm on current hardware. The contrast is stark: MD5 at hundreds of billions of hashes per second versus bcrypt-12 at around 100,000. Six orders of magnitude separating two approaches to "storing a password." This is why security guidance consistently recommends bcrypt, Argon2, or scrypt with appropriate cost parameters.
Attack type also matters. Online attacks against a live login endpoint are rate-limited by the server -- most sites allow only a few hundred attempts per minute -- which makes brute-force against live logins impractical even for low-entropy passwords. Offline attacks against stolen hash databases face no such limits. The throughput difference between online and offline attacks spans roughly eight orders of magnitude.
Photo by Brett Sayles on Pexels
Passphrases and the Diceware Method
Passphrases trade character complexity for length, gaining entropy while improving memorability. This tradeoff is often more practical than it sounds.
The Diceware method generates passphrases by rolling physical dice to select words from a numbered list. A standard word list containing 7,776 entries gives approximately 12.9 bits of entropy per word (log2(7776) equals 12.9). Five words yields about 64.6 bits of entropy -- comparable to an 11-character random alphanumeric password, but far easier to remember and type correctly. Six words pushes above 77 bits, which is strong by any practical measure.
The Electronic Frontier Foundation published improved word lists in 2016 specifically for memorability. Their lists exclude confusable words, short words that are easy to mishear, and words that are awkward to type. The resulting passphrases are more usable and comparably strong to what users might otherwise choose.
The practical argument for passphrases centers on usability. A strong password written on a sticky note, stored in a browser without a master password, or reused across sites provides less real-world protection than its entropy suggests. A passphrase you can memorize and use uniquely per site provides protection the math actually predicts. Passphrases do not require a password manager to stay secure, though combining them with one is still the best approach.
Photo by fewmiracles . on Pexels
What Good Password Storage Looks Like
Understanding entropy also gives you a way to evaluate whether a service handles your passwords responsibly.
Warning signs that suggest poor implementation:
A maximum password length below 64 characters often means the password is stored in a fixed-length database column, which frequently signals shortcuts taken elsewhere in the security implementation. Password hashes have fixed length regardless of input length, so a length cap on passwords is not required by good architecture.
A site that emails your password back after registration is storing it in plaintext. Plaintext storage means any compromise of that database exposes every user's actual password, with no hashing to slow an attacker down.
Rejection of symbols or spaces typically means the password is running through systems that cannot handle those characters cleanly -- usually because they are being interpolated somewhere rather than treated as opaque strings.
NIST Special Publication 800-63B is the current authoritative standard for password handling. Their guidelines explicitly advise against mandatory character composition rules, finding that such requirements push users toward predictable patterns without improving security. NIST recommends accepting all printable ASCII characters up to at least 64 characters in length and checking submitted passwords against known-compromised password lists.
The OWASP Authentication Cheat Sheet translates similar principles into implementation specifics: use bcrypt, Argon2id, or scrypt with appropriate work factors; accept long passwords; implement breach-list checking. These are the standards your passwords depend on at every service you use.
Photo by Brett Sayles on Pexels
Applying the Entropy Framework
The practical conclusions from understanding entropy:
Use length as your primary lever. At 16 random alphanumeric characters, entropy exceeds 95 bits -- strong against any foreseeable offline attack with current hardware and algorithms. At 20 characters, entropy exceeds 119 bits. Both are effectively uncrackable by brute force.
Use a cryptographically random generator for all passwords that matter. Human-chosen passwords have structure that reduces effective entropy below what the formula predicts. A tool that uses crypto.getRandomValues() produces passwords where the math holds. EvvyTools includes a Password Generator that displays real-time entropy estimates, crack-time projections, and character set analysis as you configure each option -- a practical way to develop accurate intuition for what each setting costs an attacker.
Use a password manager. The main barrier to genuinely strong, unique passwords is memorability. Password managers eliminate that barrier. You need one strong master password -- ideally a long passphrase. The manager handles unique, strong credentials for everything else.
Remember what entropy does not cover. Brute-force resistance is only one component of account security. Phishing bypasses password strength entirely. Credential stuffing exploits reuse across sites. Session hijacking occurs after authentication succeeds. Multi-factor authentication, breach monitoring, and good operational security each address parts of the threat model that entropy calculations cannot reach.
For more utilities in the security and developer space, browse the EvvyTools tools directory. For related reading on tooling and the technical concepts behind it, the EvvyTools blog covers the full range of topics on the site.
