Most people choose passwords the same way: pick something memorable, capitalize the first letter, add a number at the end, and maybe substitute an @ for an "a" to satisfy the complexity requirement. The result feels reasonably secure. In reality, that password — and millions of similar ones — can be cracked in seconds on modern hardware. Password security is not about memorability or complexity tricks. It's about a mathematical property called entropy: the number of possible combinations an attacker must work through to find your password. Understanding entropy explains why every conventional piece of password advice you've received is wrong, and what actually works.
- Entropy measures password strength as log₂(possible combinations). Each additional bit of entropy doubles the number of guesses required — 50 bits means roughly 1 quadrillion combinations.
- Length beats complexity: a 16-character lowercase password has ~75 bits of entropy vs ~52 bits for an 8-character password using all character types — making it roughly 16,000× harder to crack despite being simpler.
- Passphrases work: 4–5 random words from Diceware's 7,776-word list (e.g., "purple elephant morning coffee") produce 51–65 bits of entropy and are genuinely memorizable.
- A password manager is the real solution — generate 20–30-character random passwords, store them encrypted, and only remember one strong master password. Bitwarden is free and open-source.
- Enable app-based 2FA (Google Authenticator, Authy) on every important account. Even if your password leaks, the attacker still needs your physical device.
- NIST 2024 guidance prioritizes length over complexity and recommends screening passwords against known-breached lists rather than forcing periodic rotation.
Why Passwords Get Cracked
Data breaches happen constantly, and when they do, the stolen data typically includes hashed passwords — the result of running each password through a one-way mathematical function. A good hash is irreversible in theory, but attackers don't need to reverse it: they generate candidate passwords, hash each one, and compare it to the stolen hashes. If it matches, the password is cracked.
Modern GPU clusters can test billions of candidate passwords per second against stolen hashes. This shifts the problem entirely from "can you guess the password" to "how many candidates must you try before you hit it." There are three main attack strategies:
- Dictionary attack: Testing every word in known wordlists, plus common variations (capitalization, number suffixes, l33t substitutions). Passwords like "password1", "Summer2024!", and "p@ssw0rd" are in every dictionary because millions of people use them.
- Brute force: Systematically trying every possible combination within a defined character set and length range. Fast for short passwords, computationally infeasible for long ones.
- Credential stuffing: Using username/password pairs leaked from one breach to attempt login on other sites. If you reuse passwords, a breach on a low-security site compromises your banking, email, and everything else.
Understanding Password Entropy
Entropy quantifies uncertainty — specifically, how many bits of information are needed to represent the space of possible passwords. The formula is:
Entropy (bits) = log₂(character set size ^ password length) = length × log₂(character set size)
Each bit of entropy doubles the number of possible passwords. At 50 bits, there are 2⁵⁰ ≈ 1 quadrillion possible passwords. At 60 bits: 1 quintillion. At 70 bits: 1 sextillion. The key insight is that entropy grows linearly with length but only logarithmically with character set size — which is why adding one more character to a password is almost always more valuable than expanding the character set.
Why Length Beats Complexity
The comparison that settles the debate: a password using all 94 printable ASCII characters (uppercase, lowercase, digits, symbols) at 8 characters has 94⁸ ≈ 6.1 × 10¹⁵ combinations — about 52 bits of entropy. A 16-character password using only lowercase letters (26 characters) has 26¹⁶ ≈ 4.4 × 10²² combinations — about 75 bits of entropy. The 16-character lowercase password is approximately 16,000 times harder to brute force, despite being far simpler — no uppercase, no symbols, no numbers.
The reason password complexity requirements persist is historical: they were designed to prevent the weakest possible passwords (dictionary words, all lowercase) and were codified before GPU cracking at scale existed. NIST's 2024 digital identity guidelines explicitly recommend moving away from complexity requirements in favor of minimum length requirements and screening against known-breached password lists.
What Makes Passwords Weak
Even technically "complex" passwords can be trivially cracked if they follow predictable patterns. The properties that make passwords weak:
- Dictionary words: Any single word from any language is immediately exhausted in a dictionary attack, regardless of its length.
- L33t substitutions: "p@ssw0rd", "s3cur1ty", "m@nager" — these transformations are so common they're explicitly included in attack wordlists. They add essentially no entropy because attackers expect them.
- Keyboard patterns: "qwerty", "123456", "qwerty123", "zxcvbn" — all are in every wordlist because millions of people use adjacent keys as a shortcut.
- Personal information: Birthdates, names of pets, children, or partners, street addresses, graduation years. This information is often findable through social media, and targeted attacks specifically exploit it.
- Short length: Any password under 12 characters is increasingly at risk as hardware improves. 8-character passwords are routinely cracked in hours to weeks.
- Reuse across sites: A password that's technically strong but used on 15 sites is effectively as weak as the least-secure site in that set.
Passphrases: Long, Random, and Memorable
A practical approach that solves the memorability problem without sacrificing security is the Diceware passphrase. The Diceware method uses a list of 7,776 words (6⁵ — chosen with five dice rolls). To generate a passphrase, you roll dice to randomly select 4–5 words from the list.
Four random Diceware words: 7,776⁴ ≈ 3.6 × 10¹⁵ combinations ≈ 51.7 bits of entropy. Five words: 7,776⁵ ≈ 2.8 × 10¹⁹ ≈ 64.6 bits. A passphrase like "purple-elephant-morning-coffee" is genuinely hard to brute-force, far longer than most passwords, and — critically — memorizable. You can build a mental image or short story from the words. The randomness is the security, not the obscurity of the words themselves.
Password Strength by Configuration
| Configuration | Combinations | Entropy | Approx. Crack Time* |
|---|---|---|---|
| 8 chars, lowercase only | 2.1 × 10¹¹ | 37.6 bits | Minutes |
| 8 chars, all types (94) | 6.1 × 10¹⁵ | 52.4 bits | Weeks |
| 12 chars, lowercase | 9.5 × 10¹⁶ | 56.5 bits | Months |
| 16 chars, lowercase | 4.4 × 10²² | 75.3 bits | Millions of years |
| 16 chars, all types | 3.7 × 10³¹ | 104.9 bits | Far beyond feasible |
| 4 random Diceware words | 3.6 × 10¹⁵ | 51.7 bits | Weeks–months |
| 5 random Diceware words | 2.8 × 10¹⁹ | 64.6 bits | Centuries |
*At 10 billion guesses/second (high-end consumer GPU). Cloud-scale attacks can be faster for high-value targets.
Password Managers: The Actual Solution
The fundamental problem with password security is a human one: we can't memorize dozens of unique, random 20-character strings, so we reuse passwords and make them guessable. The solution is not to try harder at memorization — it's to stop relying on memorization entirely.
A password manager generates cryptographically random passwords of any length and character set, stores them encrypted (so even the password manager company can't read them), and autofills them across devices. You need to remember exactly one password: the master password for the manager itself. Make that master password a 5–6 word Diceware passphrase and you've reduced your entire password security to one genuinely strong credential.
Reputable password managers include Bitwarden (free, open-source, independently audited), 1Password (~$3/month), and Dashlane. For most users, Bitwarden provides everything needed at no cost. Use the Password Generator to create random passwords for any account that needs one.
Two-Factor Authentication
Even a strong, unique password can be compromised — through phishing, keyloggers, or a breach on the service itself. Two-factor authentication (2FA) adds a second layer: even if an attacker has your password, they cannot log in without access to your physical authenticator device.
App-based 2FA (Google Authenticator, Authy, or the 2FA feature built into most password managers) generates a time-based one-time password (TOTP) that changes every 30 seconds. It is significantly more secure than SMS-based 2FA, which is vulnerable to SIM-swapping attacks where an attacker convinces your carrier to transfer your phone number to their SIM card. Enable app-based 2FA on your email, financial accounts, and any account tied to a payment method — these are the highest-value targets. The setup takes about 30 seconds per account and the protection is substantial.
What NIST Now Recommends
NIST's 2024 update to its Digital Identity Guidelines (SP 800-63B) represents a significant shift from the complexity-focused advice that dominated the previous decade. The current recommendations:
- Prioritize length over complexity. Minimum 8 characters required; 15+ characters encouraged. No mandatory complexity rules (no "must contain uppercase and symbol").
- No forced periodic rotation unless there's evidence of compromise. Mandatory 90-day resets were counterproductive — they led to predictable incremental changes ("Password1!" → "Password2!") rather than genuinely new passwords.
- Screen against known-breached passwords. Any new password should be checked against databases of previously compromised passwords (HaveIBeenPwned's Pwned Passwords API offers this). A unique 12-character password that appeared in a breach is not safe regardless of its theoretical entropy.
- Allow all printable characters including spaces (useful for passphrases). Don't restrict character sets in ways that reduce entropy.
The bottom line: use a password manager, generate long random passwords for every account, enable app-based 2FA on important accounts, and never reuse passwords. The tools to do all of this are free and take less than an hour to set up. Start with the Password Generator to create your first genuinely strong credential.