Every password generator tells you the password is "strong." Very few tell you how strong, or what that actually means in practice.
The answer is entropy — measured in bits.
What entropy bits mean
Entropy is the number of equally likely possibilities an attacker has to try. The formula:
entropy = log2(pool_size ^ length) = length × log2(pool_size)
A password drawn from 72 characters (lowercase + uppercase + digits + common symbols) at 12 characters long has:
12 × log2(72) = 12 × 6.17 = ~74 bits
74 bits means 2^74 possible passwords — about 18 quadrillion. At a billion guesses per second (a fast GPU cracker), that's ~585 years.
How length beats complexity
Most people think adding symbols makes a password strong. Length does more:
| Password | Entropy |
|---|---|
P@ssw0rd (8 chars, mixed) |
~52 bits |
correcthorsebatterystaple (25 lowercase) |
~117 bits |
kR#9mXqL2p!v (12 chars, full set) |
~74 bits |
A 25-character lowercase passphrase is stronger than a 12-character mixed-case symbol-heavy password. Length compounds.
The minimum worth using in 2026
- Account passwords: 16+ characters, mixed set, generated randomly (not chosen by you)
- API keys / secrets: 32+ characters, full character set
- Passphrases: 4+ random words from a large wordlist (diceware-style)
The rule of thumb: anything under 60 bits is crackable with modern hardware in a reasonable timeframe.
QTNest's password generator lets you set length, character set, and quantity — and shows entropy for each generated password.
- Passphrases: 4+ random words from a large wordlist (diceware-style)
The rule of thumb: anything under 60 bits is crackable with modern hardware in a reasonable timeframe.
QTNest's password generator lets you set length, character set, and quantity — and shows entropy for each generated password.
Top comments (0)