The short answer
| Account type | Bits needed | Example |
|---|---|---|
| Throwaway / low-value forum | ~50 | 10 chars, mixed alphabet |
| Most personal accounts | 80+ | 14 chars, mixed alphabet |
| Email, banking, password manager master | 128+ | 22 chars, mixed alphabet |
| Cryptographic keys, paranoid backup | 256+ | 43 chars, mixed alphabet |
These thresholds aren't arbitrary. 80 bits is roughly the limit of what a determined attacker with current GPUs could brute-force against an offline hash dump in a year of compute. 128 bits is comfortably beyond foreseeable hardware. 256 bits is what AES-256 keys provide and what serious cryptographic protocols target.
What "entropy" actually means here
For a password generated by picking characters uniformly at random
from an alphabet of size A, the entropy in bits is:
bits = log₂(A) × length
Each character "earns" you log₂(alphabet) bits. The
common alphabets:
| Alphabet | Size | Bits per character |
|---|---|---|
| Digits only (0–9) | 10 | 3.32 |
| Lowercase only (a–z) | 26 | 4.70 |
| Lower + Upper (a–z, A–Z) | 52 | 5.70 |
| Lower + Upper + Digits | 62 | 5.95 |
| Lower + Upper + Digits + 24 symbols | 86 | 6.43 |
So a 16-character password using just lowercase letters has 16 × 4.70 ≈ 75 bits — not bad. Same length with mixed alphabet plus symbols: 16 × 6.43 ≈ 103 bits.
Why length beats complexity
Most users are taught to add complexity ("must contain a number, a symbol, an uppercase letter"). The math says length is far cheaper:
- Each extra character at a 62-char alphabet adds
log₂(62) ≈ 5.95bits. - Adding symbols to the alphabet bumps each character from 5.95 to 6.43 bits — a 0.48-bit-per-character improvement.
- To get the same boost as one extra character, you'd need to add ~12 new symbol characters to the alphabet.
In other words: making a 14-character password 16 characters is roughly equivalent to adding 25 new symbols to the alphabet. Length is doing the work; complexity is decoration.
What attackers actually do
Real attacks aren't pure brute force. The threat model has three tiers:
- Online guessing against a live login form — rate-limited to maybe 1,000 guesses/hour. Even a 40-bit password (10 chars lowercase) is fine here.
- Offline cracking of a stolen password database — modern GPUs do tens of billions of guesses per second against fast hashes (MD5, SHA-1) or millions per second against bcrypt. This is where 80+ bits matters.
- Credential stuffing — attackers try username/password combos leaked from other sites. Your password strength is irrelevant; only uniqueness helps.
Tier 3 is responsible for most account compromises in practice. A unique 60-bit password is far safer than a reused 100-bit one. Use a password manager.
Common myths
"Just add !@# at the end"
Cracking dictionaries already include common suffixes. Adding "!" moves you up by one character but down by entropy if it's the only non-alphanumeric you ever use.
"Substitute letters with numbers (l33t sp34k)"
Cracking tools like hashcat and John the Ripper apply leetspeak
rules by default. P@ssw0rd! falls in seconds against
any modern attack.
"Long but memorable is better than random"
Only if you can remember it. The pattern that beats both is: random, long, in a password manager. You memorize the manager's master password (use a passphrase here, since you'll type it daily) and the manager generates everything else at 128+ bits.
Practical recommendation
- Use a password manager. 1Password, Bitwarden, KeePassXC, your browser's built-in. Pick one and commit to it.
- Generate every site's password at 80+ bits. The generator on this site shows live entropy as you slide the length and toggle alphabets — aim for the green band.
- Use 128+ bits for the master password on your password manager and the email account that controls password resets for everything else.
- Turn on 2FA wherever offered. A second factor turns most credential-stuffing attacks into a non-event.
Reference
- NIST SP 800-63B — current US guidance on authenticator strength. Explicitly drops "complexity" requirements in favor of length.
- EFF Diceware lists — for generating high-entropy passphrases via dice.
FAQ
What's a 'bit' of entropy?
One bit doubles the work an attacker has to do. A password with N bits of entropy takes on average 2^(N-1) guesses to crack. 80 bits ≈ 1.2 × 10^24 guesses — well beyond what any current attacker can do for a single account.
Is a 12-character random password enough?
It depends on the alphabet. 12 characters from a-z is about 56 bits — not enough for sensitive accounts. 12 characters from a-z, A-Z, 0-9, and symbols is about 79 bits — fine for most accounts but borderline for a password manager master. Length is the cheapest way to add bits.
Why do sites still require 'one uppercase, one number, one symbol'?
It's a leftover from the era of 6–8 character maximums. The character-class rule made short passwords slightly less guessable. With modern 16+ character minimums and password manager generators, length alone gives more entropy than any complexity rule. NIST 800-63B (the current US guidance) explicitly drops the complexity requirement.
Are passphrases stronger than random strings?
At equal entropy, neither is stronger — entropy is entropy. Passphrases (like 'correct horse battery staple') are easier to remember and type, but you need many more characters to reach the same bit count. A 6-word EFF-list passphrase is about 77 bits; a random 13-character mixed-alphabet password is about 86 bits.
Does adding letters at the end help if my password got leaked?
If the leak contained the original password (plaintext or weak hash), no — attackers will append common suffixes when retrying. Generate a brand-new password instead. Reuse, even with modifications, is the single biggest factor in account takeover.