Password Entropy: Why Longer Is Always Better

What Is Password Entropy?

Entropy is an information theory concept borrowed from physics. In the context of passwords, it measures unpredictability — how many guesses an attacker would need to crack your password, on average, if they knew your generation method.

Entropy is measured in bits. Each additional bit of entropy doubles the number of guesses required. This exponential relationship is what makes long passwords so much stronger than short ones.

The Entropy Formula

Entropy (bits) = log₂(charset_size) × password_length

Or equivalently:

Entropy (bits) = log₂(charset_size ^ password_length)

Character set sizes:

• Lowercase letters (a-z): 26 characters → log₂(26) ≈ 4.7 bits per character
• Lowercase + uppercase: 52 → 5.7 bits per character
• Alphanumeric: 62 → 5.95 bits per character
• Full ASCII printable (95 chars): log₂(95) ≈ 6.57 bits per character

Entropy Examples

Password type	Charset	Length	Entropy	Crack time (modern GPU)
Lowercase only	26	8	37.6 bits	Hours
Alphanumeric	62	8	47.6 bits	Days
Full ASCII	95	8	52.6 bits	Weeks
Full ASCII	95	12	78.9 bits	Centuries
Full ASCII	95	16	105.2 bits	Millions of years
Lowercase only	26	20	94.0 bits	Decades

The 20-character lowercase password is more secure than the 8-character complex password — and much easier to type.

How Cracking Works

Modern password cracking uses GPU clusters that can test billions to trillions of hashes per second.

For perspective (NTLM hashes on consumer hardware):

• RTX 4090 GPU: ~100 billion hashes/second
• 100-GPU cluster: ~10 trillion hashes/second

At 10 trillion/second:

• 8-char full ASCII (95⁸ = 6.6 × 10¹⁵): 7.6 days
• 12-char full ASCII (95¹²): 2,200 years
• 16-char full ASCII (95¹⁶): 2.3 billion years

One extra character at this length isn't adding days — it's adding millions of years.

Dictionary Attacks and Real-World Entropy

The entropy formula assumes passwords are chosen randomly from the charset. Humans don't choose randomly — they pick memorable patterns.

"P@ssw0rd" uses full ASCII characters (8 chars = 52.6 bits of theoretical entropy) but has effectively near-0 bits of practical entropy because it's in every cracker's top-10 list.

"Tr0ub4dor&3" (the example from XKCD) looks complex but follows a common substitution pattern. The actual entropy for a human-chosen "complex" password is typically 10-30 bits, not 50+.

This is why genuine randomness matters. Use a password generator, not your own creativity.

Rainbow Tables and Salted Hashes

A rainbow table is a precomputed lookup table mapping hash values back to their plaintext passwords. If a website stores MD5("password123") = 482c811da5d5b4bc6d497ffa98491e38, an attacker with a rainbow table instantly finds the password.

Salting defeats rainbow tables: before hashing, prepend a random unique string (the "salt") to the password. Now each password hash is unique even for identical passwords.

Modern systems use salted, slow hashing algorithms: bcrypt, Argon2, scrypt. Slow means it takes ~100ms to verify one password instead of nanoseconds — 100ms × 10 trillion guesses/second = 100ms in reality per guess, completely eliminating brute force.

NIST 2024 Password Guidelines

The National Institute of Standards and Technology updated its password guidelines in 2024 (NIST SP 800-63B):

What they recommend:

• Minimum 8 characters; ideally 15+ characters
• Maximum length of at least 64 characters
• Allow all printable ASCII and Unicode characters including spaces
• Check passwords against known breach databases
• Do NOT force periodic password changes (users just increment a number)
• Do NOT require specific character types (uppercase, number, symbol)

What they discourage:

• Arbitrary complexity rules that don't actually improve security
• Forced rotation schedules (90-day, 180-day resets)
• Security questions (knowledge-based authentication is weak)
• Password hints
• SMS-based 2FA (vulnerable to SIM swapping) — NIST allows it but prefers TOTP apps

The Passphrase Advantage

A random passphrase — several common words chosen randomly — offers:

• High entropy (each word from a 2,000-word list adds ~11 bits)
• Easy to remember
• Easy to type
• Harder to crack than short complex passwords

5 random words (4-letter average): ~1,200 possible characters typed Entropy: log₂(2000⁵) ≈ 54.8 bits — comparable to a 10-character random password

6 random words: ~73.1 bits — much stronger, still memorable.

Practical Advice

1. Use a password manager — Generate and store unique random passwords for every site
2. Master password should be a strong passphrase — 6+ random words you can memorize
3. Never reuse passwords — One breach shouldn't compromise multiple accounts
4. Enable 2FA everywhere — Especially email and financial accounts
5. Check breach databases — haveibeenpwned.com tells you if your email appeared in a breach

Use our Password Generator (uses cryptographic randomness) and Password Strength Checker to evaluate your passwords.