Most password advice is wrong — or at least, not based on what actually makes passwords hard to crack. Rules like "use a capital letter, a number, and a symbol" produce passwords like P@ssword1, which is trivially cracked.
Here's what actually matters, and why.
What makes a password hard to crack?
Attackers don't guess passwords the way humans do. They use two main approaches:
Dictionary attacks: A list of millions of common passwords, words, phrases, and patterns is hashed and compared against a stolen password database.
password,123456,P@ssword1,Tr0ub4dor&3— all instantly cracked.Brute-force attacks: Every possible combination is tried systematically. The difficulty is determined by the size of the search space, which is measured in entropy.
What is password entropy?
Entropy (measured in bits) describes how many guesses an attacker would need, on average, to crack your password.
The formula:
Entropy = log₂(charset_size ^ password_length)
= password_length × log₂(charset_size)
For a password using only lowercase letters (26 characters), 8 characters long:
Entropy = 8 × log₂(26) = 8 × 4.7 = 37.6 bits
For a random 12-character password with lowercase, uppercase, digits, and symbols (95 characters total):
Entropy = 12 × log₂(95) = 12 × 6.57 = 78.8 bits
Each additional bit of entropy doubles the number of guesses needed. Going from 50 bits to 80 bits isn't a 60% improvement — it's 2³⁰ times harder (about a billion times harder).
Character sets and their entropy
| Character set | Pool size | Bits per character |
|---|---|---|
| Digits only (0–9) | 10 | 3.3 |
| Lowercase only (a–z) | 26 | 4.7 |
| Lower + upper (a–z, A–Z) | 52 | 5.7 |
| Lower + upper + digits | 62 | 5.95 |
| All printable ASCII (+ symbols) | 95 | 6.57 |
| Diceware wordlist (7,776 words) | 7,776 | 12.9 per word |
The takeaway: Symbols and uppercase letters add entropy, but not as much as making the password longer. Adding one character always adds more entropy than adding one complexity rule.
Length vs complexity
Here's the comparison that changes how most developers think about passwords:
| Password | Character set | Length | Entropy |
|---|---|---|---|
P@ssword1 |
95 | 9 | 59 bits (but dictionary-trivial) |
correcthorsebatterystaple |
26 | 25 | 117 bits |
| Random 12 chars (all ASCII) | 95 | 12 | 78 bits |
| Random 16 chars (all ASCII) | 95 | 16 | 105 bits |
The passphrase correcthorsebatterystaple — four random common words — has more entropy than a 12-character mixed-complexity password, while being much easier to remember. This is the core insight behind XKCD 936.
Why the "1 capital, 1 number, 1 symbol" rule fails
The rule doesn't guarantee randomness. Humans apply it predictably:
- Capital letter at the start
- Number or symbol at the end
- Often substituting
a→@,i→1,e→3,o→0
These patterns are in every attacker's dictionary. A 10-character password that follows this rule has far less effective entropy than the formula suggests, because the actual search space is much smaller than 95^10.
NIST guidelines (NIST SP 800-63B, 2017): The US government's National Institute of Standards and Technology now explicitly recommends:
- Minimum 8 characters for user-chosen passwords
- Favour length over complexity rules
- No mandatory complexity requirements
- No mandatory periodic resets (unless breach is detected)
- Check passwords against breached credential lists
What entropy level is "enough"?
| Entropy | Security level | Notes |
|---|---|---|
| < 40 bits | Weak | Crackable in minutes with modern hardware |
| 40–60 bits | Marginal | Adequate for low-stakes accounts |
| 60–80 bits | Good | Typical "strong" password |
| 80–100 bits | Very good | Secure for most purposes |
| 100+ bits | Excellent | Future-proof |
Modern password crackers using GPUs can attempt billions of hashes per second for fast hash functions like MD5, but only thousands per second for bcrypt with a high cost factor. For bcrypt, even 60-bit entropy is practically unbreakable. For systems using fast hashes (a security mistake in itself), you need higher entropy.
The practical recommendation
For generated passwords (most use cases):
- Use a random password generator
- Target 16+ characters with the full ASCII charset (~105 bits)
- If you need to remember it, use a passphrase of 5+ random words (~65 bits)
For the password manager master password:
- Use a 6+ word Diceware passphrase (~77 bits)
- Write it down and store it securely — it's the only password you need to remember
Generating strong passwords
The Password Generator at SnappyTools generates random passwords with configurable length (8–128 characters), character sets (lowercase, uppercase, digits, symbols), and an option to exclude ambiguous characters like 0, O, l, and 1. It shows a strength score and entropy estimate for each generated password. All generation happens in your browser — no passwords are sent to any server.
A note on password managers
None of this matters if you're reusing passwords. The real security risk for most accounts isn't brute-force cracking — it's credential stuffing, where attackers take a leaked email/password pair from one breach and try it on hundreds of other services.
A password manager (1Password, Bitwarden, Dashlane) solves both problems: it generates a different random password for every site and remembers them all. The only password worth memorising is the master password.
High entropy + unique per site + stored in a password manager = genuinely secure.
This article was originally published by DEV Community and written by Snappy Tools.
Read original article on DEV Community