What Entropy Means in Practice
Entropy, measured in bits, represents the number of equally likely possibilities an attacker must try. A password with 40 bits of entropy has roughly 1 trillion possible values. Each additional bit doubles the search space. Modern password crackers on consumer hardware can test billions of guesses per second for common hash algorithms, so high entropy is not optional for anything sensitive.
Why Length Beats Complexity
Adding one character to a password multiplies the possibilities by the character set size. Going from 12 to 13 characters at 94 printable ASCII characters adds roughly 6.5 bits of entropy. Adding a single digit to an otherwise all-lowercase password adds only about 0.1 bits because it changes the character set from 26 to 36. More characters always wins over substituting one character type for another.
Crack Time Estimates
Crack time estimates assume offline attacks against a stolen hash file — the worst case. A 10-character random password using the full printable ASCII set takes years to crack with current hardware. A 10-character password based on a dictionary word with common substitutions (p@ssw0rd style) falls in seconds.
Common Patterns to Avoid
- Dictionary words with letter-to-symbol substitutions (e→3, a→@)
- Appending a year or exclamation mark to a short base word
- Keyboard walks (qwerty, 123456)
- Names, birthdays, or usernames
Use a passphrase of four or more random words, or a random character string stored in a password manager.