The Math of Password Entropy: How Length Really Beats Complexity

Every security checklist tells you to use uppercase, lowercase, numbers, and symbols. Almost none of them explain why a longer all-lowercase password usually beats a short mixed one. The reason is a single equation, and once you see it, the "must contain a special character" rule starts to feel like security theater.

The Equation

Password entropy measures how many guesses an attacker needs, on average, to find your password by brute force. For a randomly-generated password, the formula is:

entropy (bits) = log2(charset_size ^ length)
              = length * log2(charset_size)

That is it. charset_size is the number of distinct symbols available, and length is how many of them are in the password. Each bit of entropy doubles the work for an attacker.

Why Length Wins

The two variables are not equal partners. length is a multiplier; charset_size is inside a logarithm. Doubling the alphabet adds one bit per character. Adding one character adds log2(charset_size) bits.

Compare two randomly-chosen passwords:

• 8 characters, full mix (95 printable ASCII): 8 × log2(95) = ~52.6 bits
• 12 characters, lowercase only (26 letters): 12 × log2(26) = ~56.4 bits

The lowercase one wins. Adding four characters out-earned switching from 26 letters to 95. And it is easier to type.

What Bits Actually Mean

A 50-bit password has 2^50 possible values — about 1.1 quadrillion. At a billion guesses per second (a reasonable rate for a single GPU against a fast hash like MD5), that takes around 13 days to exhaust. At a trillion guesses per second (a serious offline attack on an unsalted hash), it falls in 18 minutes.

Rough thresholds people in the industry use:

• < 40 bits — trivially crackable. Don't bother.
• 40–60 bits — okay against online attacks (rate-limited login endpoints), weak against offline cracking.
• 60–80 bits — solid against most adversaries with current hardware.
• 80–128 bits — strong. Cryptographic key territory.
• 128+ bits — overkill for almost any password use case.

The Critical Caveat: "Randomly Generated"

The entropy formula assumes every character is chosen independently and uniformly at random. P@ssw0rd! has a theoretical entropy of about 59 bits. Its actual entropy — the entropy an attacker faces — is closer to 10. Cracking dictionaries know about leet-speak substitutions, capitalisation patterns, and the suffix !. They guess P@ssw0rd! in milliseconds.

Bonneau's 2012 analysis of 70 million Yahoo passwords found that real-world password choices follow a Zipf-like distribution: a tiny fraction of passwords cover an enormous fraction of users. Human-chosen passwords have far less effective entropy than the formula suggests.

Why Character-Class Rules Backfire

When a site forces "at least one uppercase, one number, one symbol," people respond predictably. Capitalise the first letter. Append 1. Stick a ! at the end. The site has not increased real entropy — it has removed search space (no all-lowercase passwords) and pushed users toward predictable patterns.

NIST SP 800-63B explicitly recommends against composition rules for exactly this reason. The guidance since 2017 has been: enforce a minimum length, screen against breached-password lists, and stop.

The Practical Takeaway

For a generated password — one where every character really is random — aim for at least 14 characters of mixed lowercase and digits. That gives you over 70 bits and resists offline cracking under realistic budgets. If the site allows it, longer is always cheaper than weirder.

For a memorised password, give up on character mashing entirely. A passphrase of five randomly-chosen words from a 7,776-word list yields about 64 bits — more than most "complex" 10-character passwords, and you can actually remember it. That is the math behind the recommendation, and it is why every modern password guidance document points the same way.