What entropy is and why it is measured in bits
Entropy is the mathematical way of stating how unpredictable your password is. It is measured in bits: each additional bit doubles the number of combinations an attacker would have to try. The formula we use is length × log₂(alphabet size), where the alphabet size sums the character classes present: lowercase contributes 26, uppercase another 26, digits 10 and common symbols 33. So a 12-character password mixing lowercase, uppercase and digits uses an alphabet of 62 and has about 71.5 bits of entropy.
Why length beats complexity
This is the most important and the most misunderstood concept. Entropy grows linearly with length but only logarithmically with alphabet size. In plain terms: adding one more character multiplies the search space by the whole alphabet, while adding a class of exotic symbols only adds a handful of bits. A 16-character all-lowercase password (about 75 bits) is stronger than an 8-character one with symbols, uppercase and numbers (about 52 bits). That is why the modern recommendation is length first, variety second.
Passphrases
The most practical way to have a long password a human can remember is a phrase made of several random words. Four or five unrelated words (like "correct-horse-battery-staple") comfortably clear 60 bits and are far easier to memorize than a jumble of symbols. The key is that the words are genuinely random — not a famous phrase or a quote: a dictionary of set phrases cracks those quickly.
Password managers
If you have to remember dozens of keys, sooner or later you will reuse one, and that is the most costly security mistake: when a site is breached, the attacker tries your key everywhere else. A password manager solves this by generating a unique, long, random password for each site and storing it encrypted. You only memorize one strong master password. It is the biggest security improvement you can make for the least effort.
How we estimate crack time
We assume an offline attacker who has already obtained your password hash and can try about 10 billion (10¹⁰) combinations per second — a realistic speed for modern GPUs against fast hashes. We divide half the combination space (the average needed to find the key) by that speed. The result is an order-of-magnitude estimate: it tells you whether your password falls in seconds, in years or in centuries, not an exact clock. Against a slow, well-salted hash (like bcrypt or Argon2), the real time would be vastly longer.
Reference: entropy and crack time
Approximate bands assuming 10¹⁰ guesses per second offline. Time is the average needed to find the key.
| Entropy | Rating | Estimated crack time |
|---|---|---|
| < 28 bits | Very weak | Instant |
| 28 – 35 bits | Weak | Seconds to minutes |
| 36 – 59 bits | Fair | Minutes to years |
| 60 – 127 bits | Strong | Centuries or more |
| ≥ 128 bits | Very strong | Practically unbreakable |