What Makes a Password Strong? A Guide to Password Entropy

Published June 2026 · 6 min read

You've heard the advice: "Use a strong password." But what does strong actually mean? Is "P@ssw0rd!2025" strong? What about "correct-horse-battery-staple"? The answer comes down to a concept from information theory called password entropy.

What Is Password Entropy?

Entropy measures how unpredictable a password is. It's expressed in bits — each bit represents a binary choice (like a coin flip). A password with 40 bits of entropy would take roughly the same number of guesses as flipping a coin 40 times and getting every outcome right.

The higher the entropy, the harder the password is to crack. Entropy is determined by two factors:

Character set size — how many possible characters you're using
Password length — how many characters are in the password

The formula is simple: Entropy (bits) = length × log₂(character set size)

Character Set Sizes Compared

Character Type	Set Size	Examples
Digits only	10	0–9
Lowercase letters	26	a–z
Lowercase + digits	36	a–z, 0–9
Mixed case letters	52	A–Z, a–z
Mixed case + digits	62	A–Z, a–z, 0–9
All characters including symbols	94	A–Z, a–z, 0–9, !@#$%^&*

Entropy at Different Lengths

Here's how entropy grows with length using the full 94-character set (upper + lower + digits + symbols):

Length	Entropy (bits)	Crack Time (modern GPU)
8	52.5	~5 hours
10	65.7	~3 months
12	78.8	~270 years
14	92.0	~24,000 years
16	105.1	~2 million years
20	131.4	~16 billion years

Notice the pattern: every additional character doubles the crack time. A jump from 8 to 16 characters isn't twice as strong — it's millions of times stronger.

What Does "Strong" Actually Mean?

Security researchers generally classify passwords by entropy:

< 30 bits — Very weak. Cracked instantly. Example: "password1"
30–50 bits — Weak. Crackable in hours or days. Example: "Sunshine2024"
50–70 bits — Moderate. OK for low-risk accounts.
70–100 bits — Strong. Suitable for most online accounts.
100+ bits — Very strong. Bank-grade security against brute-force attacks.

Our PassGenerator strength meter uses these exact thresholds — 70+ bits is shown as "Strong", and 100+ as "Very Strong".

Why Randomness Matters

Entropy assumes true randomness. A password like "gf7H!k9wQ2#m" has high entropy because every character was chosen independently. But if you generated it by modifying a word or using a pattern (e.g. capital letter + word + number + symbol), the actual entropy is much lower than the formula suggests.

Attackers know this. Modern cracking tools try common patterns first — dictionary words with substitutions, keyboard walks ("qwerty123"), dates, and sports teams — before attempting true brute-force. This is called a pattern-aware attack, and it's why human-generated passwords are far weaker than people think.

How PassGenerator Ensures True Randomness

PassGenerator uses crypto.getRandomValues() — the browser's built-in cryptographic random number generator — combined with a Fisher-Yates shuffle. This means:

Every character is independently and uniformly random
No patterns, no biases, no human predictability
All generation happens locally in your browser — nothing is sent to any server

The Bottom Line

A truly strong password is long, random, and uses a mix of character types. Aim for at least 16 characters with upper and lowercase letters plus numbers — that gives you over 95 bits of entropy, enough to resist even offline brute-force attacks. Adding symbols bumps this to 105 bits and costs you nothing on a password generator.

Don't try to invent passwords yourself. Use a password generator and let math do the work.

Check the entropy of your passwords in real time

Our built-in strength meter calculates bits of entropy as you adjust length and character sets.

Try the Entropy Meter →

← Back to PassGenerator