Password strength is mostly length: what entropy actually measures
When a password checker calls something "strong," it is estimating entropy — the number of equally likely possibilities an attacker must search. The math is simple: a password of length L drawn randomly from a pool of N characters has N^L possibilities, or L × log2(N) bits of entropy.
That exponent is why length dominates. Adding symbols to an 8-character password grows the pool from 62 to roughly 90 characters — about 5 extra bits in total. Adding four more lowercase letters adds about 19 bits. Each bit doubles the attacker's work.
What official guidance actually says
NIST's digital identity guidelines (SP 800-63B) made this official: verifiers should not impose composition rules like "must contain a special character," and should instead allow long passphrases, check candidates against breached-password lists, and drop forced periodic rotation. Composition rules push humans toward predictable patterns — P@ssw0rd1! satisfies every checkbox and sits in every cracking dictionary.
Random beats memorable
The entropy formula only holds when characters are chosen uniformly at random. Human-invented passwords are nothing like uniform: names, dates, keyboard walks and common substitutions collapse the real search space by orders of magnitude. That is the case for a password manager — it makes true randomness practical, with our password generator using the same cryptographically secure browser API.
Practical rules that follow from the math
- 16+ random characters for anything that matters; length is the cheapest upgrade.
- Unique per site — reuse converts one breach into many.
- A randomly generated 4–5 word passphrase is both strong and typeable.
- Check the hash, not the vibe: a SHA-256 digest of a file proves integrity; "looks strong" proves nothing.