How Password Entropy Determines Security
Entropy measures the randomness (unpredictability) of a password in bits. The formula is L times log2(N), where L is length and N is the size of the character pool.
- Using only lowercase letters (N=26): a 12-character password has 56.4 bits of entropy.
- Adding uppercase (N=52): 68.4 bits.
- Adding digits (N=62): 71.5 bits.
- Adding symbols (N=94): 78.8 bits.
Security thresholds:
- below 40 bits is trivially crackable in minutes;
- 40-60 bits resists online attacks but falls to offline attacks;
- 60-80 bits is strong for most purposes;
- above 80 bits is very strong;
- above 128 bits is uncrackable by any foreseeable technology.
Going from 12 to 16 characters with full character set jumps from 78.8 to 105.1 bits — making it roughly 78 million times harder to crack. This is why NIST and security experts emphasize length over complexity.