Skip to content
Free Tool Arena

Developers & Technical · Guide · Developer Utilities

Password Security Guide with Real Entropy Examples

Real password entropy math, attacker speeds in 2026, diceware passphrases, password managers, 2FA. Modern guidance based on actual attack vectors.

By FreeToolArena Staff · Updated May 2026 · 6 min read

A complete reference for password security in 2026: how entropy actually works, why “P@ssw0rd123!” is weak, why “correct horse battery staple” is no longer enough, and what password length and structure are sufficient given current attack capabilities.

Most password advice is recycled from 2005 and ignores how the threat model changed: brute-force is no longer the bottleneck (CSPRNGs and length defeat it); reuse, phishing, and credential stuffing are. This guide walks through the math first, then the practical guidance — both grounded in current attacker capabilities, not folk wisdom.

Advertisement

What entropy actually means

Password entropy measures unpredictability in bits. Formula:

entropy = log2(pool_size) × length

Where pool_size is the number of possible characters and length is the password length. A 10-character password from a 26-letter pool: log2(26) × 10 = 4.7 × 10 = 47 bits.

Bits double the search space: 1 bit = 2 options, 10 bits = 1,024 options, 80 bits = ~1.2 sextillion options. Each additional bit doubles the average time to brute-force.

Critical caveat: this formula assumes characters are uniformly RANDOM. A password of “qwerasdfzxcv” technically uses 12 chars from a 26-pool (56 bits theoretical), but is in any sensible attacker’s top 10,000 passwords (~13 bits effective). The formula tells you the maximum possible entropy; whether the password achieves it depends on how it was generated.

Real entropy by password structure

Password structureTheoretical entropyReal-world entropyCrack time (offline GPU)
“password” (top-100 list)38 bits~7 bitsInstant (in any attacker dictionary)
“P@ssw0rd123!” (leet-speak common word)78 bits~25 bitsSeconds (rule-based dictionary attack)
“Tr1nity@2026” (name + year + symbol)78 bits~32 bitsHours
10 random a-z characters47 bits47 bits~3 days at 10⁹ guesses/sec
10 random a-zA-Z0-960 bits60 bits~36 years
16 random a-zA-Z0-9 + symbols (94 pool)105 bits105 bits10²² years (uncrackable)
20 random characters (94 pool)131 bits131 bitsHeat-death-of-universe uncrackable
Diceware 4 random words (7,776-word list)52 bits52 bits~year at 10⁹/sec
Diceware 6 random words77 bits77 bits~10⁶ years at 10⁹/sec
Diceware 7 random words91 bits91 bits~10¹¹ years

The shape of the takeaway: human-chosen passwords lose 60-80% of their theoretical entropy because humans aren’t random. CSPRNG-generated passwords (or true diceware rolls) achieve their theoretical entropy.

Attacker speeds in 2026

Brute-force speeds depend on the hash algorithm and hardware. Real numbers:

  • MD5 (legacy, broken): ~10¹¹ guesses/sec on a single high-end GPU (RTX 5090 or similar). Cluster: 10¹³+. MD5 is unsalted-friendly to attackers.
  • SHA-1 (deprecated): ~3 × 10¹⁰ guesses/sec.
  • bcrypt cost 12 (default): ~30,000 guesses/sec on a GPU. Designed to be slow. Most well-secured services use bcrypt or Argon2.
  • Argon2id (modern recommendation): ~10,000 guesses/sec at typical parameters. Memory-hard, GPU-resistant.
  • scrypt: ~50,000 guesses/sec depending on parameters.

Implication: 60-bit entropy passwords protected by Argon2id survive offline brute force essentially indefinitely. Same passwords protected by MD5 fall in days. The hash algorithm matters as much as the password length.

Diceware passphrases: math and how-to

Diceware uses physical dice to choose words from a 7,776-word list. Each word contributes log2(7,776) = 12.92 bits of entropy. 5-die rolls produce a 5-digit number; the number maps to a word.

How to do it:

  1. Get the EFF long word list (eff.org/dice). It has 7,776 entries.
  2. Roll 5 standard dice (or one die 5 times). Read the values left-to-right as a 5-digit number, e.g., 41524.
  3. Look up that number in the list. That’s your first word.
  4. Repeat 5-7 times for the desired entropy.
  5. Concatenate words with spaces or a unique separator: “outlast-recolor-magnetic-finance-clutch-glaze”.

Modern recommendation: 6 words (77 bits) for ordinary passwords, 7 words (91 bits) for important ones (master password, banking, sensitive accounts). Adding a separator character or capitalizing one word adds a few extra bits and breaks any word-list-based dictionary attack.

Why physical dice? Computer-based RNGs are generally fine if they’re CSPRNGs (crypto.getRandomValues() in browsers, secrets.choice() in Python). But dice provide audit-able randomness that can’t be silently compromised by malware.

Password managers: which to use

A password manager solves the only password problem that actually matters at scale:reuse. Without a manager, humans typically reuse 5-10 passwords across hundreds of accounts; one breach compromises all of them. With a manager: every account gets a unique random 20+ char password, and one master passphrase protects the vault.

Top tier (recommended):

  • Bitwarden: open-source, free for individual use, $10/year for premium. Audited, host-it-yourself option, strong cryptography. Best balance of cost / features / trust.
  • 1Password: $36/year individual, $60/year family. Polished UX, proprietary but well-audited. Travel mode (hides vaults at borders) is unique.
  • KeePassXC: open-source, free, fully offline. Stores vault as a local file. Best for paranoid users; sync via your own cloud (Dropbox, etc.).

Browser-built-in (acceptable but less secure): Chrome, Firefox, Safari. Free, convenient. Less protected against malware than dedicated managers because vault keys are easier for browser-resident attackers to access.

Avoid: LastPass (multiple breaches with poor disclosure), any password manager not opened to security audit, anything storing passwords in plain text.

Two-factor authentication: why it matters

Even a 130-bit password is vulnerable to phishing (the user types it into a fake site) and credential stuffing (attacker has the password from a different breach). Two-factor authentication (2FA) adds a second proof of identity.

Methods, ranked by security:

  1. Hardware security keys (YubiKey, Titan): $25-75 USB or NFC dongle. Phishing-resistant by design; the key cryptographically signs the request scoped to the real domain. The gold standard for high-stakes accounts (email, financial, admin).
  2. Passkeys (FIDO2/WebAuthn): built-in to modern OSes (iOS, Android, macOS, Windows 11). Same cryptographic strength as security keys; uses device biometrics. The future of authentication; rolling out across major sites.
  3. TOTP apps (Authy, Google Authenticator, 1Password): 6-digit code rotating every 30 seconds. Strong against credential stuffing; vulnerable to sophisticated phishing (real-time relay attacks). Use this where security keys aren’t supported.
  4. SMS: a second factor, but vulnerable to SIM swap attacks (an attacker convinces your carrier to transfer your number). Better than nothing; worse than TOTP. Avoid for high-stakes accounts.

Practical recommendation: enable 2FA everywhere offered. Use passkeys or hardware keys for email, password manager master, banking, and domain registrar. TOTP for everything else. SMS only if no other option exists.

Myths that won’t die

  • “Change passwords every 90 days”. NIST guidance (SP 800-63B) explicitly recommends AGAINST mandatory rotation since 2017. Forced rotation produces weaker passwords (humans add “1” then “2”...). Rotate after a known breach, not on a schedule.
  • “Composition rules make passwords stronger”. The “1 uppercase, 1 number, 1 symbol” convention forces specific patterns attackers know to try first. Modern guidance: require length only.
  • “Hint questions improve security”. Mother’s maiden name, first car, favorite teacher — all easily guessed or harvested from social media. NIST SP 800-63B forbids them in current guidance.
  • “Don’t reuse master password”. Trivially true, but specifically: your password manager master is the highest-value secret you own. Use a unique, long passphrase. Memorize it. Write it down on paper and store in a safe (not in the manager).
  • “HTTPS makes my password secure”. HTTPS protects your password in transit. It doesn’t protect against the receiving server being compromised, the password being phished into a malicious clone, or the password manager being attacked. Multi-layer defense.

Real attacks: how passwords actually leak

Modern attackers rarely brute-force a single account. Real attack patterns:

  1. Database breaches: attacker compromises a server, dumps the user table. If hashes are weak (MD5, SHA-1, unsalted), passwords are recovered offline. Have I Been Pwned (haveibeenpwned.com) catalogs 12+ billion breached credentials.
  2. Credential stuffing: attacker takes leaked usernames+passwords from one breach and tries them on other sites. ~85% of attacks on most consumer sites in 2024-2025 are credential stuffing. Defense: unique passwords per site.
  3. Phishing: attacker sends fake login page, user enters real credentials. 90%+ of corporate breaches start here. Defense: passkeys / hardware keys (phishing-resistant), education, 2FA.
  4. Malware: keylogger, browser-extension stealer, password-manager attacker. Defense: keep OS and browser patched, verify password manager integrity, use hardware keys for highest-stakes accounts.
  5. Social engineering: convincing a customer service rep to reset the account. Defense: enable account-recovery 2FA, set up trusted contacts, use unique recovery emails.
  6. SIM swap: attacker convinces carrier to port your number. Defense: TOTP / hardware keys instead of SMS, carrier-level PINs.

Notice: pure brute-force isn’t in the top 6. Real attacks bypass entropy via reuse, phishing, or social engineering. That’s why password managers + 2FA matter more than choosing “a really strong password.”

What good password policies look like

For organizations setting password rules, current NIST guidance (SP 800-63B):

  • Minimum 8 characters (12+ recommended).
  • Allow at least 64 characters.
  • Allow ALL printable Unicode (including spaces and emoji).
  • Reject passwords on known-breach lists (HIBP API).
  • Reject passwords on context-specific lists (your service name, common usernames).
  • NO composition rules.
  • NO mandatory rotation.
  • NO hint questions.
  • Use Argon2id, bcrypt cost 12+, or scrypt for hashing. Never MD5 or SHA-1.
  • Require 2FA for any account with admin or privileged access.
  • Lockout policies based on failed attempts per IP / per user, with rate-limiting.

Length recommendations by site type

  • Throwaway / low-stakes (forums, news sites, free trials): 12+ random characters.
  • Ordinary (email, social media, retail, work tools): 16+ random characters.
  • Financial (banks, brokerages, crypto exchanges): 20+ random characters + 2FA via hardware key or passkey.
  • Critical (password manager master, primary email, domain registrar): diceware passphrase 7+ words OR 24+ random characters + hardware key 2FA.
  • Server / SSH / API keys: ed25519 or RSA-4096 keys, not passwords. Passphrases on private keys 7+ diceware words.

Personal security checklist

  1. Install a password manager (Bitwarden free is fine).
  2. Set a 7-word diceware master passphrase. Memorize it. Store on paper in a safe.
  3. Enable 2FA on the password manager (hardware key or passkey).
  4. Audit existing passwords: any reused? Get unique 20+ char ones generated and stored.
  5. Audit old breaches at haveibeenpwned.com with all your email addresses.
  6. Enable 2FA on email (the recovery vector for everything else). Use hardware key or passkey.
  7. Enable 2FA on banking, brokerages, and domain registrar.
  8. Set up account-recovery 2FA: trusted contacts, recovery codes printed, verified backup phone.
  9. Replace SMS 2FA with TOTP wherever possible.
  10. Review and revoke unused app permissions (Google, Apple, GitHub OAuth grants).
  11. Check periodically for new breaches involving your email (HIBP can alert).

The 80/20 takeaway

The math is clear: 80+ bits of true entropy is uncrackable by brute force. 130+ bits is uncrackable forever. The password generator outputs 130-bit passwords by default. The hard problems aren’t strength — they’re reuse (solve with a password manager), phishing (solve with hardware keys / passkeys), and old breaches (solve with HIBP audit and unique passwords going forward).

If you do three things: (1) use a password manager with unique 20+ char passwords, (2) enable hardware-key or passkey 2FA on your email and password manager, (3) check HIBP every 6 months for new breaches — you’ve handled 95% of real-world attack vectors. The remaining 5% (sophisticated phishing, supply-chain malware) requires organizational defenses; for individuals, those three steps put you in the top 1% of security posture.

Use these while you read

Tools that pair with this guide

Frequently asked questions

How long does it take to crack a 12-character random password?

Depends on character pool and hash algorithm. 12 random alphanumeric chars (a-zA-Z0-9, 62 pool) = ~71 bits entropy. Against MD5 (broken hash) at 10¹¹ guesses/sec on consumer GPU: ~750 years average. Against bcrypt cost 12 at ~30,000 guesses/sec: ~10¹⁵ years (heat-death uncrackable). Same password against Argon2id: similar. The hash algorithm matters as much as the password length. Most modern services use bcrypt or Argon2id. Public service: enable HIBP password monitoring on your accounts to know if any leak.

Is 'correct horse battery staple' still a strong passphrase?

It's only ~44 bits entropy (4 random words from a small list), and it's now famous enough to be in attacker dictionaries verbatim. Modern guidance: 6-7 random words from the 7,776-word EFF diceware list = 77-91 bits. Add a separator character or capitalize one word for resistance to word-list dictionary attacks. Generate with physical dice or a CSPRNG (crypto.getRandomValues in browsers). Memorize the result. Use this for anything you must type from memory: password manager master, full-disk encryption.

What's the safest way to generate a strong password?

Use a password manager's built-in generator OR a CSPRNG-based tool (like our password generator that uses Web Crypto's getRandomValues). Both produce cryptographically random output. NEVER use Math.random() (predictable), online sites that send your password to their server (often logged), or your own 'random-looking' string (humans aren't random). For passwords you must memorize: roll physical dice using the EFF diceware word list to generate a 6-7 word passphrase. Verify the entropy after generation; tools like KeePassXC show entropy estimates that account for word-list attacks.

Why do most modern password policies skip composition rules?

NIST SP 800-63B (2017+) explicitly recommends AGAINST composition rules ('must contain 1 uppercase, 1 digit, 1 symbol'). Reasons: (1) They force specific patterns attackers know to try first ('Password1!' satisfies most rules). (2) They produce weaker passwords by limiting human creativity. (3) They cause users to write down passwords or reuse minor variations across sites. Modern policy: require length only (12+ chars), reject known-breach passwords (HIBP API), allow all printable Unicode. The result: stronger real-world passwords with less user friction.

Advertisement

Found this useful?Email

Continue reading

100% in-browserNo downloadsNo sign-upMalware-freeHow we keep this safe →