A 6-character password using only lowercase letters has 26^6 possible combinations. That's 308,915,776. Three hundred million sounds like a big number until you realize that a modern GPU running hashcat can test over 100 billion MD5 hashes per second. Your 308 million combinations would be exhausted in 0.003 seconds.
That's not a typo. Three milliseconds.
This is why password security is fundamentally a math problem, and once you understand the math, the best practices stop sounding like arbitrary rules and start sounding like obvious conclusions.
The entropy calculation
Password strength is measured in bits of entropy. The formula is straightforward:
entropy = log2(characters ^ length)
Or equivalently:
entropy = length * log2(characters)
The "characters" value is the size of the character set. Lowercase letters give you 26. Add uppercase and you get 52. Add digits and you reach 62. Add common symbols and you're around 95.
Here's what that looks like for an 8-character password:
- Lowercase only (26): 26^8 = 208 billion, 37.6 bits of entropy
- Mixed case (52): 52^8 = 53.4 trillion, 45.6 bits
- Mixed case + digits (62): 62^8 = 218 trillion, 47.6 bits
- Full printable ASCII (95): 95^8 = 6.6 quadrillion, 52.6 bits
The crack time table
The time to crack depends on the hashing algorithm used to store the password. This matters enormously. Here's a rough table for a single high-end GPU (an RTX 4090) against different hash types:
For MD5 (fast, insecure, still widely used):
- 8 chars, lowercase: 25 seconds
- 8 chars, mixed case + digits: 36 minutes
- 8 chars, full ASCII: 18 hours
- 12 chars, full ASCII: 17,000 years
For bcrypt (cost factor 10):
- 8 chars, lowercase: 19 years
- 8 chars, full ASCII: mass
- 12 chars, lowercase: 827 billion years
The difference between MD5 and bcrypt isn't subtle. It's the difference between seconds and centuries. If you're a developer storing passwords, the hash function you choose is arguably more important than the password policy you enforce.
Length beats complexity, and the math proves it
Consider two passwords:
Password A: J#9kQ!2x (8 characters, full ASCII, ~52.6 bits of entropy)
Password B: correcthorsebatterystaple (25 characters, lowercase, ~117.5 bits of entropy)
Password B is astronomically harder to crack despite being "simpler." Every additional character multiplies the search space by the size of the character set. Adding one lowercase character to a lowercase password multiplies the work by 26. Making an existing character uppercase only doubles the possibilities for that position.
This is logarithmic math working in your favor. Length scales the exponent. Complexity scales the base. Exponents win.
Dictionary attacks change the calculus
Pure brute force — testing every possible combination — is the slowest approach an attacker will try. Real attacks start with dictionaries: lists of common passwords, leaked password databases, and rule-based mutations.
The most commonly used password list, rockyou.txt, contains about 14 million passwords from a 2009 data breach. Attackers run this list first, then apply rules: capitalize the first letter, add a number at the end, replace "a" with "@", append "123". A tool like hashcat can apply hundreds of transformation rules to each dictionary entry.
This is why P@ssw0rd1 is a terrible password despite meeting most complexity requirements. It's the word "password" with predictable substitutions. It's in every attack dictionary.
The defense against dictionary attacks is randomness. A password that was randomly generated cannot be in a dictionary. A password that a human chose almost certainly follows patterns that attackers know about.
The NIST 2024 guidelines dropped complexity requirements
This surprised a lot of people. NIST Special Publication 800-63B, which guides federal authentication standards and heavily influences the private sector, made several significant changes in its 2024 revision.
They dropped mandatory complexity rules. No more "must include uppercase, lowercase, digit, and symbol." The reasoning: these rules lead to predictable behavior. Users pick a base word, capitalize the first letter, add "1!" at the end, and call it compliant. The resulting passwords have far less real entropy than the character set would suggest.
Instead, NIST now emphasizes length. Minimum 8 characters, with a recommended minimum of 15. They also mandate checking new passwords against lists of known compromised passwords (like the Have I Been Pwned database) and explicitly prohibit periodic password rotation requirements.
The rotation prohibition is the other big change. Forcing users to change passwords every 90 days leads to incremental changes — Summer2024! becomes Fall2024! becomes Winter2025!. Attackers know this pattern. A password that is strong and not compromised should be left alone.
Passphrases are the practical answer
A passphrase is four or more random words strung together. "correct horse battery staple" is the famous XKCD example, though that specific phrase is now in every dictionary, so don't use it.
Four random words from a list of 7,776 words (the standard Diceware list) gives you 7776^4 = 3.6 quadrillion combinations, or about 51.7 bits of entropy. Five words gives you 64.6 bits. Six words gives you 77.5 bits.
The advantage is memorability. You can remember "umbrella tornado sandwich velocity" far more easily than kX9#mQ2!pL. And the five-word version has more entropy.
The key word is random. You must actually randomly select the words. If you pick words that form a meaningful phrase — "I love my dog" — you've chosen from a much smaller effective space than the math suggests.
Generate, don't create
The single best thing you can do for password security is stop inventing passwords. Use a generator that produces random characters or random passphrases at sufficient length. I built a password generator at zovo.one/free-tools/password-generator that lets you configure length, character sets, and passphrase options.
The math doesn't lie. Length times randomness equals security. Everything else is theater.
I'm Michael Lip. I build free developer tools at zovo.one. 350+ tools, all private, all free.
Top comments (0)