Skip to content
Calixo
IT & Developer

Password Security 101: Entropy, Strength, and What Actually Matters

Why length beats complexity, what 'bits of entropy' actually means, and why an 8-character password with every character type is weaker than you'd think.

Published July 10, 2026

“Use a mix of uppercase, lowercase, numbers, and symbols” is the password advice almost everyone has heard. It’s not wrong, but it’s incomplete in a way that leads people to make objectively worse choices — like P@ssw0rd! (technically satisfies every character-class rule, trivially guessable) over a long, simple passphrase (fails the “complexity” checklist, dramatically harder to crack).

What entropy actually measures

Password entropy, measured in bits, quantifies how many guesses an attacker with no other information would need to try, on average, to find your exact password by brute force. The formula is:

Entropy (bits) = length × log₂(character set size)

Character set size depends on what categories of characters you use: lowercase-only is 26 possible characters, adding uppercase brings it to 52, adding digits brings it to 62, and including common symbols brings a full mixed set to roughly 94 printable ASCII characters.

Each additional bit of entropy doubles the number of guesses required — entropy is exponential, not linear, which is exactly why length matters more than most people intuit.

The length-versus-complexity trade-off, with real numbers

Consider two approaches to an 8-character password:

  • 8 characters, all four character classes (94-character set): entropy = 8 × log₂(94) ≈ 52.4 bits.
  • 8 characters, lowercase only (26-character set): entropy = 8 × log₂(26) ≈ 37.6 bits.

Adding complexity to a fixed length clearly helps — that’s real, and it’s why the standard advice isn’t wrong. But now compare the “complex” 8-character password to something longer and simpler:

  • 12 characters, all four character classes: entropy ≈ 78.7 bits.
  • 16 characters, all four character classes: entropy ≈ 104.9 bits.

Going from 8 to 12 characters at the same complexity level gains you more entropy (26.3 additional bits) than adding every character class to a fixed 8-character password did (14.8 additional bits). Length compounds; complexity per character adds a fixed, smaller amount each time.

What this means for crack time

Entropy translates directly into estimated crack time against a brute-force attack. Using a conservative estimate of 10 billion guesses per second (roughly what dedicated cracking hardware can achieve against a fast, unsalted hash — real-world numbers vary enormously by hashing algorithm):

  • 52.4 bits (8-char, all classes): roughly 169 hours — about a week.
  • 78.7 bits (12-char, all classes): roughly 1.5 million years.

That gap — from “crackable in a week” to “longer than human history” — comes almost entirely from 4 extra characters of length, not from adding any new character types. This is the core, counterintuitive lesson: length is the dominant factor, and complexity rules that force short, awkward passwords (like an 8-character maximum with mandatory symbols) can produce objectively weaker security than simply requiring more characters.

Why passphrases work

A password like correct-horse-battery-staple — four random common words — is long (29 characters) but uses a small, simple character set. Even so, because entropy scales with length, a genuinely random four-word passphrase from a large word list can carry more real entropy than a short “complex” password, while being dramatically easier for a human to actually remember and type correctly. The caveat is “genuinely random”: a passphrase built from a predictable pattern (a famous quote, your own name plus a birth year) doesn’t get to claim dictionary-word-based entropy math, because a targeted attacker’s guess list isn’t a uniform random search — it’s an informed one.

What entropy math doesn’t capture

Bits of entropy assumes a brute-force attacker with no other information — it doesn’t model an attacker using a dictionary of common passwords, patterns, or personal information about you specifically. A password can have “good” entropy by the formula above and still be a bad password if it’s Password123! — technically hits every character class and a reasonable length, but sits near the top of every real-world breached-password list, meaning it gets tried in the first few thousand guesses of any real attack, entropy math notwithstanding. This is exactly why the Password Strength Calculator on this site is deliberately distinct from — not a replacement for — the Password Entropy Calculator: one estimates theoretical randomness, the other scores practical composition. Neither one checks your password against real breach databases, which a production authentication system should also do.

The practical takeaway

Prefer length over forced complexity when you have the choice. A unique, long passphrase per account, ideally generated or managed by a password manager rather than remembered, beats any amount of manual “complexity” applied to a short password — and reusing even a genuinely strong password across multiple accounts undermines all of this math the moment any one of those services has a data breach.

Related calculators