Password Entropy: What Makes a Password Strong
Photo by Unsplash on Unsplash
Table of Contents
What is password entropy?
> Quick answer: Password entropy measures how unpredictable a password is, expressed in bits. Each extra bit doubles the number of guesses an attacker needs, so more entropy means a harder crack. Entropy grows from two things: the size of the character set you draw from and, far more powerfully, the length of the password. That's why a long passphrase usually beats a short 'complex' one, and why a password generator that makes long random strings is the safest source.
Think of entropy as the size of the haystack an attacker has to search. A password with 40 bits of entropy means roughly a trillion possibilities; 60 bits means a quintillion. The attacker isn't guessing your specific password — they're grinding through the whole space of possibilities, so the bigger that space, the longer it takes. Everything about strong passwords comes back to making that space enormous.
Why does length beat complexity?
The math is why. Entropy scales with the character set size, but it scales with length as an exponent. Widening the character set — adding symbols and mixed case — multiplies the possibilities per character, which is a one-time boost. Adding a character multiplies the entire space again, and you can keep doing it. So going from 8 characters to 16 does far more than going from lowercase-only to 'lowercase plus uppercase plus digits plus symbols' at 8 characters.
This is the flaw in the old 'must contain an uppercase, a number, and a symbol' rules. They nudge people toward short passwords like `P@ss1!` that feel complex but sit in a small space attackers know well — the substitutions are predictable. A longer password from a bigger effective length crushes it, even if it looks plainer. Length is the lever that moves entropy the most, which is the single most useful thing to internalize here.
Are passphrases actually safer?
The key word is random. Picking four words yourself, from your own head, isn't random — people gravitate to common words and predictable patterns, which shrinks the real entropy well below the theoretical number. A passphrase is only strong if the words are chosen randomly from a large list, the way dice-based methods do it. A memorable sentence you invented is weaker than it looks.
So passphrases are genuinely safer than short complex passwords when they're built right, and they win on memorability, which matters because unmemorable passwords get reused or written on sticky notes. But for anything you don't need to type from memory — most logins, since a manager fills them — a long random string has even higher entropy per character. The best password is usually one you never see, generated at full length and stored, which is what a password generator plus a manager gets you.
Why is reuse worse than a weak password?
This is the mechanism behind credential-stuffing attacks. When a site gets breached, the leaked email-and-password pairs get tried automatically against every other popular service. A perfect password reused everywhere becomes a master key the moment any single site loses it, and sites lose them constantly. The strength of the password is irrelevant once the plaintext or a crackable hash is out.
Which is why the real rule is a unique password per site, and why length and randomness only matter alongside uniqueness. Sites should also be storing passwords hashed, not in plaintext — I covered what that means in how hashing works — but you can't control their security, only your own reuse. A unique high-entropy password per account, held in a manager, is the combination that actually holds up.
How do you make a genuinely strong password?
In practice that means not inventing passwords in your head at all for most accounts. Humans are bad random number generators — we lean on names, dates, keyboard patterns, and the predictable symbol substitutions those old rules taught us. Anything you can easily remember and type is, almost by definition, in a smaller and more guessable space than a machine-generated string.
So let a tool do the generating and a manager do the remembering. A password generator produces a long random string with real entropy in a click, and a password manager stores a different one for every site so you never reuse. Save your own memory for the two or three passwords you truly must type — your device login and your manager's master password — and make those long passphrases. That split is the whole strategy, and it beats any clever scheme you'd keep in your head.
What do modern password guidelines actually recommend?
The headline change is favoring length over forced complexity. NIST's digital identity guidelines recommend allowing long passwords and passphrases, and they back away from the old 'must contain an uppercase, number, and symbol' composition rules — the exact rules that pushed people toward weak, predictable passwords like `P@ssw0rd`. Length and randomness do the real work, so the guidance stopped mandating theater.
Two more shifts surprised me when I first read them. Forced periodic password changes — the 'reset every 90 days' policy everyone hates — are no longer recommended, because they just push people toward minor, guessable variations like adding a `1` at the end. And the guidelines call for checking new passwords against lists of known-breached passwords, which does far more good than any complexity rule, since a breached password is compromised no matter how many symbols it has.
The throughline is that good password policy now trusts entropy and breach-checking instead of arbitrary composition rules. If your job still forces quarterly resets and symbol requirements, that's an outdated policy, not a best practice. For your own accounts the modern advice is simple: long, unique, random, checked against breaches, and never rotated for no reason. Generate them long with a password generator and let a manager carry the load.
Frequently Asked Questions
What is password entropy?
It's a measure of how unpredictable a password is, in bits, where each extra bit doubles the guesses an attacker needs. It grows from the character set size and, more powerfully, the password length. A [password generator](/tools/password-generator) maximizes it with long random strings. More bits simply means a bigger haystack to search.
Is a longer password or a more complex one stronger?
Longer, in most cases. Length increases entropy as an exponent while adding symbols is a one-time multiplier, so extending a password does far more than sprinkling in special characters. A long password beats a short 'complex' one like `P@ss1!`.
Are passphrases safer than passwords?
Yes, when the words are chosen randomly from a large list — that builds high entropy while staying memorable. A passphrase you invent yourself is weaker, because human word choices are predictable and shrink the real entropy.
Why is reusing a strong password dangerous?
Because entropy only protects against guessing, not breaches. If one site leaks and you reused the password, attackers try it everywhere via credential stuffing, so a unique password per site matters more than raw strength.
How do I make a strong password?
Make it long, random, and unique per site. The easiest way is to let a [password generator](/tools/password-generator) create long random strings and a manager remember them, so you only memorize your device and manager passwords. And skip the old habits: forced resets and symbol requirements are outdated, so don't spend effort satisfying rules that no longer match how attackers work — length, uniqueness, and a breach check matter far more.
Try ToolsFuel
23+ free online tools for developers, designers, and everyone. No signup required.
Browse All Tools