How Password Entropy Determines Security
Entropy measures the randomness (unpredictability) of a password in bits. The formula is L times log2(N), where L is length and N is the size of the character pool. Using only lowercase letters (N=26): a 12-character password has 56.4 bits of entropy. Adding uppercase (N=52): 68.4 bits. Adding digits (N=62): 71.5 bits. Adding symbols (N=94): 78.8 bits. Security thresholds: below 40 bits is trivially crackable in minutes; 40-60 bits resists online attacks but falls to offline attacks; 60-80 bits is strong for most purposes; above 80 bits is very strong; above 128 bits is uncrackable by any foreseeable technology. Going from 12 to 16 characters with full character set jumps from 78.8 to 105.1 bits — making it roughly 78 million times harder to crack. This is why NIST and security experts emphasize length over complexity.