February 1, 2026
What Makes a Password Strong in 2026: Entropy Explained Simply
Length beats complexity. Here's the actual math behind password strength and what it means for your accounts.
Password advice has been wrong for decades. The standard guidance — use uppercase, lowercase, numbers, and symbols — produces passwords like P@ssw0rd1 that are both hard to remember and easy to crack. The actual metric that matters is entropy, and length is its most powerful driver.
What Is Password Entropy?
Entropy measures how unpredictable a password is, expressed in bits. A password with 40 bits of entropy has 240 (about 1 trillion) possible values. Each additional bit doubles the search space. At 60 bits, you're at 1 quadrillion possibilities.
How entropy is calculated:
Entropy = log₂(character_set_size) × password_length
• Lowercase only (26 chars), 8 characters: log₂(26) × 8 = 37.6 bits
• Lowercase + uppercase + digits (62 chars), 8 characters: log₂(62) × 8 = 47.6 bits
• Lowercase only, 16 characters: log₂(26) × 16 = 75.2 bits
A 16-character lowercase password has more entropy than an 8-character password using every character type. Length wins.
How Long Does Cracking Actually Take?
A modern GPU cluster can test about 100 billion password guesses per second against an unsalted MD5 hash. Against a properly salted bcrypt hash (what good services use), that drops to around 100,000 per second.
Cracking time at 100B guesses/second (worst case — bad hashing):
• 8 chars, all types (47.6 bits): ~16 minutes
• 12 chars, all types (71.4 bits): ~23,000 years
• 16 chars, lowercase only (75.2 bits): ~375,000 years
• 20 chars, lowercase only (94 bits): ~630 billion years
The jump from 8 to 12 characters — even without adding special characters — moves your password from "crackable in an afternoon" to "effectively uncrackable in any realistic timeframe."
The Problem With Complexity Requirements
Forced complexity makes passwords more predictable, not less. When required to add a number, most people add it at the end. When required to add a symbol, most people use ! or @. Attackers know these patterns and include them in their dictionaries.
A truly random 12-character password is far stronger than a human-chosen 12-character password that meets complexity requirements. The randomness is what matters, not the character types.
Passphrases: Long and Memorable
A passphrase like correct-horse-battery-staple (from the famous xkcd comic) has about 44 bits of entropy if chosen from a 2,000-word dictionary, and much more if the words are truly random. It's easy to remember and long enough to be practical.
Four random words from a large dictionary easily exceeds 50 bits. Six words exceeds 75 bits — equivalent to a fully random 13-character password using all character types.
Practical Rules for 2026
- Minimum 12 characters for any account. 16+ for anything important.
- Use a password manager. You only need to remember one strong master password.
- Never reuse passwords. A breach at one site shouldn't affect others.
- Enable 2FA wherever available. Even a weak password with 2FA beats a strong password without it.
- Random beats memorable. Let your password manager generate and store truly random passwords.
Check how your current passwords score — and generate new ones — using the tools below.
Try the calculator