Password Security: Length Beats Complexity
Why a 4-word passphrase is stronger than 'P@ssw0rd!', the entropy math, and the modern NIST guidance every site still ignores.
The Password Policy That Made Us All Less Safe
For two decades, NIST (the US National Institute of Standards and Technology) recommended that organizations require passwords with uppercase letters, numbers, and symbols, and force users to change them every 90 days. In 2017, the same agency reversed both recommendations. The author of the original guidance, Bill Burr, told the Wall Street Journal he regretted writing it. The complexity rules trained users to create passwords like "P@ssw0rd1!" that were easy to guess and hard to remember. The 90-day change cycles pushed people to use predictable sequences: "Password1!" became "Password2!" at the next rotation.
NIST's current guidance (SP 800-63B, updated in 2024) says length matters more than complexity. A 12-character random password has more possible combinations than an 8-character one with every special character rule applied. A 4-word random passphrase like "correct horse battery staple" carries roughly 44 bits of entropy, meaning an attacker running 1 billion guesses per second would need on average 278 years to crack it. The 8-character "P@ssw0rd!" carries about 18 bits of effective entropy against a dictionary attack and falls in under a minute.
This guide covers what entropy bits measure and how to calculate them, why length dominates over complexity, the difference between dictionary attacks and brute force, the passphrase approach, password managers, and why password reuse remains the single biggest real-world threat to most users.
Entropy: The Unit of Password Strength
Entropy measures unpredictability in bits. One bit of entropy doubles the number of guesses an attacker needs. Every additional bit doubles the search space again. A password with 40 bits of entropy requires 240 guesses on average, about 1.1 trillion. A password with 50 bits requires 250 guesses, about 1.1 quadrillion.
Entropy for a random password comes from the size of the character set and the length:
Entropy (bits) = Length × log2(Character set size)
Character set sizes:
- Lowercase only (a-z): 26 characters = 4.7 bits per character
- Lowercase + uppercase: 52 characters = 5.7 bits per character
- Alphanumeric (a-z, A-Z, 0-9): 62 characters = 5.95 bits per character
- Full printable ASCII (94 characters): 6.55 bits per character
A 12-character random lowercase-only password: 12 × 4.7 = 56.4 bits. A 12-character random full-ASCII password: 12 × 6.55 = 78.6 bits. An 8-character full-ASCII password: 8 × 6.55 = 52.4 bits. Length contributes more than character set expansion for the same character count.
Passphrase entropy works differently. If you pick 4 words randomly from a 7,776-word wordlist (the Diceware list), each word contributes log2(7,776) = 12.9 bits. Four words: 4 × 12.9 = 51.7 bits. Five words: 64.6 bits. Six words: 77.5 bits. The passphrase "correct horse battery staple" carries about 51 bits and takes a human 2 seconds to type. A 51-bit random character string takes a human 30 seconds and three mistakes.
How the Math Behind Cracking Works
Password cracking speed depends on the hashing algorithm the website used to store passwords. Fast hashes like MD5 allow attackers to test billions of passwords per second on modern GPUs. Slow hashes like bcrypt allow only thousands per second. The cracking time formula:
Time (seconds) = Possible combinations / Guesses per second
At 10 billion guesses per second (MD5 on modern hardware):
- 40-bit entropy password: 240 / 1010 = 110 seconds average
- 50-bit entropy password: 250 / 1010 = 31 hours average
- 60-bit entropy password: 260 / 1010 = 3.6 years average
- 80-bit entropy password: 280 / 1010 = 38 million years average
At 10,000 guesses per second (bcrypt, which is typical for modern sites):
- 40-bit: 3.5 years average
- 50-bit: 3,500 years average
- 60-bit: 3.6 million years average
These are random passwords. Dictionary attacks against predictable passwords ("password", "qwerty", "iloveyou") succeed in under a second regardless of entropy, because the attacker tries the most common passwords first rather than exhaustively iterating all combinations.