Creating Strong Passwords
What makes passwords secure and how to create a strong password.
How passwords work
Passwords are one of many forms of authentication and is one of the simplest ways to secure accounts and information. They work in different ways with different algorithms but they all have one common vulnerability: Time.
Given enough time, all passwords could eventually be cracked. This is due to the way the cryptographic algorithms work, they decrease the chances of being cracked as entropy increases.
Password strength can be measured in terms of entropy, which reflects the randomness of a password. A higher entropy means more possible combinations, increasing the time required to crack it. To have secure passwords entropy must be created and the more entropy the longer it will take to crack.
| Discription | Password | Bits of Entropy | Est. Time to Crack |
|---|---|---|---|
| Most "Common Password" | "123456" | 19.93 | 1 Second |
| A typical randomly generated 8 character password | "Nc.x90-X" | 52.44 | 3 Hours |
| Follwoing the NCSC recommended "Three Random Words" | "poachrubycoma" | 61.11 | 14 Days |
| Following Forbes "How To Create A Strong Password" | "G7&d#4kzL1!" | 72.10 | 4 Months |
| Randomly generated 10 character password | "o95_/upw-%JJ" | 78.66 | 3 Years |
| Password with over 100 bits of entropy | "MfN&q~WJqWzt4-\v" | 104.87 | Centuries |
To check how strong your password is, use the password strength testing tool by Bitwarden (based on zxcvbn) or use the tool at the bottom of this page to estimate the entropy of your password.
Password Recommendations
Your circumstances and the security required will determine the required password entropy.
At a minimum, we would recommend using a randomly generated passcode that has a minimum of 100 bits of entropy with upper and lowercase letters, numbers, and special characters. Doing this in a password manager like KeePassXC is easy. Keep in mind if you want to type this password on a phone then using it may not be possible to use extended ASCII characters.
To learn more about passwords, read the publication by the US governments National Institute of Standards and Technology here. This was published in 2024 and appendix a pertains to password strength.
Test your knowledge
Question 1
What is the minimum recomended bits of entropy in a password?
Question 2
What is the measure used to evaluate password strength in bits?
Question 3
What common vulnerability do all passwords share, regardless of their strength?
Password Entropy Estimator
This calculator uses a simple formula to estimate the entropy of your password.
The minimum recomended entropy is 100 bits.
This will run locally on your machine and no data is saved or transmitted.