A password's real strength is measured in bits of entropy: the number of guesses an attacker would need to find it. Each extra bit doubles that number, and for a truly random password, length raises entropy far faster than swapping in a few symbols. Aim for at least 75 bits to resist modern offline cracking.
Entropy only counts when the password is actually random. A password built from a dictionary word, a name, or a keyboard pattern has far less effective entropy than its length suggests, because attackers guess those first.
How entropy is calculated
For a randomly generated password, entropy in bits is the length multiplied by the bits each character contributes, where each character adds log2(pool size) bits:
| Character pool | Size | Bits per character |
|---|---|---|
| Digits only | 10 | 3.32 |
| Lowercase letters | 26 | 4.70 |
| Upper and lowercase | 52 | 5.70 |
| Letters and digits | 62 | 5.95 |
| Letters, digits, symbols | 95 | 6.57 |
So an 8-character password drawn from the full 95-character set carries about 8 times 6.57, or roughly 53 bits.
Why length beats complexity
Adding length multiplies entropy; adding one symbol only nudges it. Compare these randomly generated options:
| Password style | Length | Approx. entropy |
|---|---|---|
| Lowercase only | 8 | 38 bits |
| Letters, digits, symbols | 8 | 53 bits |
| Letters, digits, symbols | 12 | 79 bits |
| Letters, digits, symbols | 16 | 105 bits |
| 4 random words (passphrase) | 4 words | 52 bits |
| 6 random words (passphrase) | 6 words | 78 bits |
A six-word random passphrase reaches about 78 bits, matching a 12-character symbol-heavy password, and it is far easier to remember. This is why a long passphrase usually beats a short, complex string.
How many bits do you need?
Modern hardware can attempt billions of guesses per second against a stolen password hash. As a practical guide:
- Under 40 bits: weak. Crackable quickly. Fine only for throwaway accounts.
- 60 to 75 bits: reasonable for most accounts behind rate limiting.
- 75 to 100 bits: strong. The target for important accounts and anything protecting other data.
- Over 100 bits: very strong, suitable for password-manager master passwords and encryption keys.
This matches modern guidance. NIST's SP 800-63B password rules now favor length over forced complexity, recommend allowing long passphrases, and advise against arbitrary composition rules and periodic resets, which tend to push people toward predictable patterns.
Generate one that actually hits the target
The reliable way to get high entropy is to let a tool pick characters at random rather than inventing a password yourself. Our password generator builds random passwords with a live strength meter, so you can dial length and character set until the entropy lands where you want it. For raw randomness in a custom range, the random number generator helps too.
For more handy helpers, from QR codes to unit conversion, browse all our utility tools.