What actually makes a password strong: entropy, length, and why the old rules were wrong
The complexity rules everyone was taught optimized for the wrong thing. Here's how password strength really works, measured in bits.
For twenty years, the internet trained us to make passwords like P@ssw0rd! —
throw in an uppercase letter, a number, a symbol, and you're safe. It turns out
that advice was optimizing for the wrong thing, and in 2017 the U.S. National
Institute of Standards and Technology (NIST) formally reversed much of it. The
person who wrote the original complexity guidelines has publicly said he regrets
them.
So what actually makes a password strong? The answer is a single concept — entropy — and once you understand it, the modern guidance (favor length, drop forced complexity, ban reuse) follows naturally.
Entropy: strength measured in bits
Password strength isn't about looking complicated to a human. It's about how many guesses an attacker needs to find it. That quantity is measured in bits of entropy, where each bit doubles the number of possibilities.
The formula for a randomly generated password is:
entropy (bits) = length × log2(size of character set)
The size of the character set — the "alphabet" — depends on what characters are possible:
| Character set | Size | Bits per character |
|---|---|---|
| Digits only (0–9) | 10 | ~3.3 |
| Lowercase letters | 26 | ~4.7 |
| Lower + uppercase | 52 | ~5.7 |
| Letters + digits | 62 | ~5.95 |
| + common symbols | ~95 | ~6.6 |
Multiply bits-per-character by length and you get total entropy. A 12-character password from the full 95-character set carries about 12 × 6.6 ≈ 79 bits. As a rough industry benchmark: under ~40 bits is weak, 60–80 bits is solid for most accounts, and 100+ bits is effectively uncrackable by brute force with any foreseeable technology.
Why length beats complexity
Look at the formula again. Character-set size is inside a logarithm — it grows slowly. Length is a straight multiplier — it grows linearly. That asymmetry is the whole argument.
Compare two passwords:
P@ssw0rd!— 9 characters, full symbol set. Feels "complex." About 59 bits at most — and far less in reality, because it's a dictionary word with predictable substitutions an attacker's cracking rules try first.correct horse battery staple— four random common words. Only lowercase and spaces, but ~28 characters. Roughly 44+ bits of genuine entropy, and it's actually easy to remember.
Add one more random word to the passphrase and you sail past the complex-looking password — because each additional word adds ~11 bits, while cramming another symbol into a short password adds almost nothing. A long passphrase beats a short complex string, and it's easier to remember. That's the modern recommendation in one sentence.
The catch: entropy only counts if it's random
Here's the trap in the math. The entropy formula assumes every character (or word) was chosen randomly and independently. Human-chosen passwords are the opposite — they're deeply patterned:
- We start with a dictionary word.
- We capitalize the first letter.
- We put the number and symbol at the end.
- We substitute
a→@,o→0,s→$— substitutions every cracking tool knows.
So P@ssw0rd! has a theoretical entropy of ~59 bits but an effective entropy
far lower, because a smart attacker doesn't brute-force character by character —
they try dictionary words, known leaked passwords, and predictable mutations
first. This is why "my password has a symbol so it's strong" is false. Entropy
you can compute only exists if the password was actually generated randomly.
Which leads to the single most important practical point.
Generate, don't invent
Humans are terrible random number generators. We reuse, we pattern, we pick things that are memorable because they're predictable. The reliable way to get a password with real entropy is to have a machine generate it:
- For passwords you'll store in a manager and never type: a long random string from the full character set — 16+ characters gets you 100+ bits.
- For passwords you must memorize: a random passphrase of 4–6 words picked by a tool, not by you (you'll unconsciously pick related words, which reduces entropy).
A Password Generator that runs entirely in your browser produces genuinely random strings without sending anything over the network — and because you can dial the length and character set, you can see directly how each extra character pushes the entropy up. Generate it, drop it in a password manager, and you never need to memorize or reuse it.
The rules that actually matter now
Modern guidance (NIST SP 800-63B and the consensus that followed) boils down to:
- Favor length over complexity. A long passphrase beats a short scramble. Allow — encourage — passwords up to at least 64 characters.
- Drop forced composition rules. Mandating "1 upper, 1 number, 1 symbol"
mostly produces predictable patterns (
Password1!) without adding real entropy. Length is the lever. - Never reuse passwords. This is arguably more important than strength. When one site is breached, attackers replay those credentials everywhere ("credential stuffing"). A unique password per site means one breach stays contained. This is the case for a password manager.
- Check against known-breached passwords. A password that's appeared in a prior breach has effectively zero entropy no matter how it looks, because it's already on every attacker's list.
- Stop forcing periodic rotation. Mandatory 90-day changes just push people
toward
Spring2026!→Summer2026!. Change a password when there's evidence of compromise, not on a calendar. - Turn on multi-factor authentication. Even a perfect password can be phished or leaked. A second factor means a stolen password alone isn't enough — it's the highest-leverage security step you can take.
The takeaway
Password strength is entropy — bits of genuine unpredictability — and entropy
comes from length and randomness, not from cramming in symbols. The old
complexity rules optimized for looking complicated to humans while staying
predictable to cracking tools. Generate long, random passwords or passphrases with
a tool rather than inventing them, use a unique one per site, and back the whole
thing with multi-factor authentication. Do that and you've beaten the vast majority
of real-world attacks — with passwords that are, ironically, easier to live with
than P@ssw0rd! ever was.