"Mix in uppercase, digits and symbols" is the advice everyone hears. It helps — but the single biggest practical factor in how hard a password is to crack is its length: every extra character multiplies the number of guesses by the size of the character set. We can quantify this with a measure called entropy. Here is the idea behind the score you see in the Password Strength Checker.

Why length matters so much

The number of guesses a brute-force attacker must try — assuming each character is chosen independently and uniformly at random — is (size of the character set) raised to the power of (length). Adding one character multiplies the count by the character-set size; enlarging the character set grows the base. Both help, but because you can keep adding characters while a long passphrase stays memorable, length is the most practical lever. (Human-chosen, patterned passwords are weaker than this theoretical figure.)

The entropy formula

The candidate count grows by orders of magnitude, so we express it in base-2 logarithm (bits). That is the entropy:

entropy (bits) = length × log2(charset size)

For example, 62 alphanumeric characters over 16 positions: log2(62) ≈ 5.95, so 16 × 5.95 ≈ 95 bits, meaning 295 candidates. A rough time to brute-force is 2bits ÷ guesses per second. This formula is an upper bound that assumes each character is chosen independently and uniformly at random; patterned, human-picked passwords have less effective entropy.

Brute-force time by charset and length

Below we assume an attack speed of 1×1011 guesses per second (one example of brute-forcing a fast hash offline) and estimate the time to exhaust every combination. Notice how the time explodes as length grows.

Character set8 chars12 chars16 chars20 chars
Digits only (10)27 bits · instant40 bits · ~10 s53 bits · ~1 day66 bits · ~32 yr
Lowercase (26)38 bits · ~2 s56 bits · ~11 days75 bits · ~14,000 yr94 bits · ~6.3×109 yr
Alphanumeric (62)48 bits · ~36 min71 bits · ~1,000 yr95 bits · ~1.5×1010 yr119 bits · ~2.2×1017 yr
With symbols (95)53 bits · ~18 hr79 bits · ~170,000 yr105 bits · ~1.4×1013 yr131 bits · ~1.1×1021 yr

Read across a row for the effect of a bigger character set; read down a column for the effect of more length. Lowercase alone at 16 characters (~14,000 years) far outlasts an 8-character password with symbols (~18 hours). It's the same reason a 4-digit PIN falls instantly.

Passphrases: memorable and strong

Rather than a short string full of symbols, a long passphrase of unrelated words is easier to remember while staying strong. But its strength depends not only on the number of words but on the size of the word list. Passphrase entropy is (number of words) × log2(word-list size). A standard Diceware list (~7,776 words) gives about 12.9 bits per word, so 5–6 words reach roughly 65–77 bits. A smaller word list gives fewer bits per word, so you need more words. For important accounts, the surest option is a 16+ character random string from the Password Generator, stored in the manager described below.

Reuse is the worst move — use a manager and 2FA

No matter how long it is, reusing one password across sites ruins everything. One breach lets attackers replay that exact username/password pair on other sites — credential stuffing (reusing known leaked credentials, not brute-forcing) — and accounts fall like dominoes. Two practical defenses:

  • Use a password manager to issue a long random string per service, and never reuse it.
  • Turn on two-factor authentication (2FA). Time-based codes like TOTP (one-time passwords) mean a leaked password alone is not enough to sign in.

FAQ

Do I always need to mix in symbols?
Symbols enlarge the character set and raise entropy, but as the table shows, adding length does more. An 8-character password with symbols (53 bits) is far weaker than 16 lowercase letters (75 bits). If memorability matters, a long passphrase is the realistic choice.
How many characters is safe?
Under the assumption above, 62-char alphanumeric reaches ~1,000 years at 12 characters, and with symbols ~170,000 years at 12. In practice: 16+ random characters from a manager. For anything you must memorize, aim for a Diceware passphrase of 5–6 words (~65–77 bits) from a large word list. Real safety still depends on attack speed and the hash in use.

The bit counts and times here are our own approximations, assuming an attack speed of 1×1011 guesses per second (one example of offline fast-hash brute-forcing). Real safety varies with the attack method and hashing scheme. As of 2026-07-16.