CyberCodeLab logo — neon green lab flask with terminal symbolCyberCodeLab
Entropy formula E = N x log2(R) on screen showing 16 characters from a 94-symbol set equals 104.8 bits — the math behind password strength

2026-06-27

How Strong Is Your Password? The Math Behind Password Strength

Password strength is measured in entropy bits — and length beats complexity every time. See the real cracking-time math, why Tr0ub4dor&3 fails, and what 16 random characters buys you.

"Use a strong password" is advice everyone gives and few explain. Strength is not a feeling — it is arithmetic, measured in bits of entropy, and the math produces one clear conclusion: length beats complexity, and randomness beats both.

Entropy: counting the guesses

A password's entropy is the number of equally-likely possibilities an attacker must search. The formula is simple: a password of length L drawn randomly from a character set of size N has L × log₂(N) bits of entropy. Each added bit doubles the work.

Character setSizeBits per character
Digits only103.32
lowercase264.70
Upper + lower525.70
Letters + digits625.95
+ symbols~946.55

Notice the punchline hiding in that table: going from letters-only to the full symbol set gains you less than 2 bits per character — adding two extra characters beats adding symbols to the whole password.

Real cracking times

Assume a serious offline attacker: a GPU rig testing 100 billion guesses per second against stolen fast hashes.

PasswordEntropyTime to exhaust
123456~20 bitsinstant
monkey2020~30 bits (pattern)instant
8 random chars, full set52 bits~13 hours
12 random chars79 bits~190 years
16 random chars105 bits~12 billion years
5-word passphrase~65 bits~100 days–years*

*Depends on wordlist size; 5 random words from a 7,776-word list = 64.6 bits.

The jump from 8 to 16 characters takes you from "an afternoon" to "past the heat death of anything relevant." That is why every serious guideline now says 16+.

Why Tr0ub4dor&3 fails and correct-horse wins

Humans making passwords "complex" follow predictable patterns: capital first, a→4 and o→0 swaps, ! or a year at the end. Cracking dictionaries encode all of these — so Tr0ub4dor&3 is effectively a dictionary word with well-known decorations, worth ~28 real bits, not the ~65 its character mix suggests.

Randomness has no pattern to exploit. Four to five random common words (staple-orbit-mango-cliff) are both stronger and typeable; sixteen random characters from a generator are stronger still.

What actually protects you

  1. Generate, don't invent — our Password Generator uses the Web Crypto API for true randomness, at any length up to 64.
  2. Unique per site — reuse converts one site's breach into a skeleton key. Check exposure with the Password Leak Checker.
  3. A password manager — makes 1 and 2 effortless; you memorise one strong passphrase.
  4. Two-factor authentication — the safety net when everything else fails. Setup guide: passwords & 2FA tutorial.

Frequently asked questions

Is a 16-character password really unbreakable? A random 16-character password against offline cracking — effectively yes (105 bits). But no length survives being phished, reused or leaked in plain text. Strength is necessary, not sufficient.

Are passphrases better than random characters? Per bit of entropy they are easier to remember and type. 5 random words ≈ 65 bits, fine for most uses; go 6-7 words for anything critical. The words must be randomly chosen — a song lyric is a dictionary entry.

Do password expiry rules help? Forced rotation produces predictable increments (Summer25!Summer26!). NIST guidance since 2017: drop scheduled expiry; change passwords when there is evidence of compromise.

Why do sites still cap passwords at 12 or 16 characters? Legacy systems and bad practice. A length cap (especially a low one) sometimes signals the site stores passwords improperly — treat it as a yellow flag.