What Makes a Password Secure? Entropy, Length, and Randomness

Understand the math behind password security. Learn how entropy, length, and randomness work together to protect your accounts.

When you create a password, you are essentially building a lock. A weak lock can be picked quickly; a strong lock takes an impractical amount of time and effort. But what exactly makes a password secure? The answer comes down to three key concepts: length, character variety, and randomness. Together, these determine a password's entropy, which is a measure of how unpredictable it is.

What is password entropy?

Entropy is measured in bits. Each additional bit doubles the number of possible guesses an attacker must try. A password with 30 bits of entropy might take seconds to crack. A password with 60 bits could take years. A password with 80 bits or more is generally considered very secure against brute-force attacks.

You can see entropy estimates in action on our Password Generator. As you increase the length and enable more character types, the entropy value rises and the strength bar turns green.

Length matters most

Length is the most powerful factor in password strength. A 12-character password made only of lowercase letters can be stronger than an 8-character password that uses every character type. This is why passphrases, which are long sequences of words, are often recommended. Learn more in our password vs passphrase comparison.

Character variety adds entropy

Using uppercase, lowercase, numbers, and symbols increases the size of the character pool. A larger pool means more possible combinations for a given length. However, adding complexity without adding length has limited benefit. The best approach is to combine length with variety.

Randomness beats patterns

Human-chosen passwords are usually less random than they feel. People gravitate toward dictionary words, names, dates, and predictable substitutions like a→@ or s→$. Attackers know these patterns and build them into their cracking dictionaries. True randomness, generated by a tool like our Random Password Generator, avoids these pitfalls.

Practical security recommendations

  • Use at least 16 characters for everyday accounts.
  • Use 20+ characters for high-value accounts like email, banking, and password managers.
  • Use a unique password for every account.
  • Enable two-factor authentication whenever possible.
  • Store credentials in a trusted password manager such as 1Password or Bitwarden .

Conclusion

A secure password is long, varied, and random. You do not need to memorize it yourself if you use a password manager. Focus on entropy, avoid predictable patterns, and make every password unique. For help generating them, try any of our free password tools.