How many bits of entropy does a strong password need?

NIST recommends at least 112 bits for high-security systems. A random 16-character password using uppercase, lowercase, digits, and symbols provides about 105 bits. A 5-word Diceware passphrase provides about 64 bits — strong enough for most online accounts where rate limiting applies.

Why did NIST stop recommending forced password rotation?

Research showed that users who must rotate passwords frequently choose weaker passwords and make predictable changes (e.g., Password1 → Password2). NIST SP 800-63B Rev 4 (2024) recommends changing passwords only when there is evidence of compromise.

Is a longer password always stronger?

Length is the single most important factor because entropy grows linearly with length but exponentially with keyspace. A 20-character lowercase-only password (94 bits) is stronger than an 8-character password using all character types (52 bits).

Password Security: How Entropy, Brute-Force Math, and NIST Guidelines Shape Strong Passwords

Every password has a measurable strength, and that measurement is entropy. Entropy quantifies how unpredictable a password is — not how long it is, not whether it has a special character, but how many guesses an attacker would need to find it. Understanding how password entropy works is the difference between a password that falls in seconds and one that resists nation-state adversaries.

The Shannon Entropy Formula

Password entropy is calculated using Shannon's information entropy formula, adapted for uniform random selection:

H = L × log₂(R)

Where:
  H = entropy in bits
  L = password length (number of characters)
  R = size of the character pool

A 12-character password drawn uniformly at random from lowercase letters (R=26) has 12 × log₂(26) = 12 × 4.7 = 56.4 bits of entropy. The same length using uppercase + lowercase + digits + 32 symbols (R=94, the full printable ASCII range) yields 12 × log₂(94) = 12 × 6.55 = 78.6 bits.

This formula assumes each character is chosen independently and uniformly at random. Human- chosen passwords violate this assumption dramatically — substituting @ for a or appending 123 does not add the entropy the formula suggests, because attackers know these patterns and encode them in their dictionaries.

NIST SP 800-63B: What the Standards Say

The NIST Special Publication 800-63B (Revision 4, 2024) is the United States federal standard for digital identity authentication. Its password guidelines reversed decades of conventional wisdom:

Minimum 8 characters required, 15+ recommended. NIST sets 8 as the absolute floor for memorized secrets and recommends verifiers support at least 64 characters.
No composition rules. Requiring uppercase, numbers, and symbols does not measurably improve security and leads to predictable patterns like Password1!. NIST explicitly discourages mandatory composition rules.
No periodic rotation. Forced password changes (every 90 days) cause users to create weaker, incremental passwords (Summer2024! → Fall2024!). Change passwords only when there is evidence of compromise.
Check against breach databases. Verifiers SHALL compare passwords against known compromised credential lists. The Have I Been Pwned database contains over 900 million compromised passwords.
Support paste and password managers. Disabling paste in password fields actively harms security by discouraging password manager use.

Brute-Force Mathematics: Time to Crack

The keyspace of a password is R^L — the character pool size raised to the power of the password length. An attacker performing brute-force search must try, on average, half the keyspace before finding the correct password.

Modern attack speeds depend on the hashing algorithm protecting the password:

MD5 — A single GPU (RTX 4090) achieves roughly 164 billion hashes per second (164 GH/s) according to Hashcat benchmarks. An 8-character password using all 94 printable ASCII characters (52.4 bits of entropy) falls in under 40 seconds.
bcrypt (cost 12) — The same GPU manages approximately 33,000 hashes per second. That same 8-character password now takes over 200,000 years. This is why hashing algorithm choice matters more than password complexity alone.
Argon2id — The winner of the 2015 Password Hashing Competition, recommended by OWASP. Memory-hard design makes GPU parallelism expensive. Typical rates: under 1,000 hashes per second on consumer hardware.

The formula for estimated crack time: T = (R^L) / (2 × guesses_per_second). At 10 billion guesses per second against a fast hash, 80 bits of entropy requires approximately 19,000 years. At 128 bits, the heat death of the universe arrives first.

Passphrases vs Random Strings

The Diceware method generates passphrases by randomly selecting words from a list of 7,776 entries (6⁵, corresponding to five dice rolls). Each word adds log₂(7776) = 12.9 bits of entropy. A 5-word passphrase like correct horse battery staple provides 64.6 bits — comparable to a 10-character random alphanumeric string.

The advantage of passphrases is memorability. Research by Bonneau and Schechter (USENIX 2012) showed that users can memorize randomly generated passphrases with modest rehearsal, while random character strings of equivalent entropy require significantly more effort.

For maximum security, 6+ word Diceware passphrases (77.5+ bits) provide strong protection and remain practical to type. For machine-generated credentials (API keys, database passwords), random strings of 20+ characters from the full ASCII range (131+ bits) are appropriate since memorability is irrelevant.

Attack Vectors Beyond Brute Force

Brute force is the least efficient attack against passwords. Real-world breaches exploit weaker vectors:

Credential stuffing — Using username/password pairs from one breach to access other services. The OWASP credential stuffing page reports that 0.1-2% of stuffed credentials succeed, because users reuse passwords across services. A unique password per service eliminates this vector entirely.
Rainbow tables — Precomputed hash-to-plaintext lookup tables. A rainbow table for all 8-character alphanumeric passwords with MD5 fits in roughly 460GB. Salted hashing (bcrypt, Argon2) makes rainbow tables useless because each password has a unique salt.
Dictionary attacks — Testing common passwords and variations. Dictionaries like rockyou.txt (14.3 million entries) combined with rule-based mutations (append digits, substitute letters) crack a large percentage of human-chosen passwords. The 2023 Hive Systems password table estimates that 8-character passwords using only numbers fall in under 1 second.
Phishing — No amount of entropy protects against a user voluntarily entering their password on a fake login page. Multi-factor authentication (FIDO2/WebAuthn hardware keys in particular) is the primary defense.

Password Managers: The Practical Solution

The math is clear: strong passwords must be long, random, and unique per service. No human can memorize hundreds of 20-character random strings. Password managers (1Password, Bitwarden, KeePass) solve this by generating and storing high-entropy credentials behind a single master password.

A well-chosen master password (6-word Diceware passphrase, 77.5 bits) combined with a hardware security key for MFA provides a security level that exceeds most threat models. The remaining risk is the password manager's own security — which is why choosing managers that use zero-knowledge architecture and have undergone independent security audits matters.

For individual passwords, the goal is straightforward: maximize entropy above the threshold where brute force becomes infeasible against the hashing algorithm in use. Against bcrypt with cost 12, 60+ bits of entropy provides decades of resistance. Against fast hashes like unsalted SHA-256, aim for 80+ bits minimum.

Ready to measure your password strength? The Password Strength Checker calculates entropy, estimates crack time against multiple hash algorithms, and checks for common patterns — all locally in the browser with no data transmitted. Need to generate a strong one? The Password Generator creates cryptographically random passwords and passphrases with configurable length and character sets.