What Makes a Secure Password?
There have been many, many posts about password strength – “What makes a secure password”. Some right, some wrong, some technical, some funny.
But still, when we ran a quiz recently, almost everyone got this question wrong:
Which of These Passwords is Easier for a Computer to Crack?
longbutsimpleandeasytoremember
or
Tr!ckY0n3
Almost everyone in the room got it wrong, even the mathematicians.
The quiz was a stand up if you’re right, sit down if you’re wrong, last player standing wins a prize thing. I’d wiped out nearly everyone by question 2.
But notice the phrasing of the question … which is easier for a computer to crack? If you’re just getting a computer to generate all possible combinations and testing it again and again against your login screen, it’s a matter of your password’s entropy.
What is Password Entropy?
In the context of passwords, entropy is a measure of how many combinations of characters are available within the constraints of a password length and the range of characters used.
A pair of lower case digits:
12 = 10 ^ 2 = 100 combinations
A pair of lowercase letters is harder:
qx = 26 ^ 2 = 676 combinations
A combination of numbers and lower case characters allows for more combinations:
w6 = 36 ^ 2 = 1296 combinations
Increasing password length significantly increases entropy and makes for a much more secure password:
sw14 = 36 ^ 4 = 1679616 combinations
Password entropy is typically measured in bits. The fewer the bits, the more combinations there are, and potentially, the easier it is to guess the password. Conversely, a higher number of bits tends to make the password more challenging to crack. A password that is already known has 0 bits of entropy, while one that can be guessed on the first attempt 50% of the time has 1 bit of entropy.
How much Entropy is Good for a Password?
At the time of writing (early 2025) Google reckons that your password should have at least 60 bits of entropy. Other providers of security services suggest 75 or more. As the processing power of computers continues to accelerate, this number will only get higher.
For the record, according to this calculator:
longbutsimpleandeasytoremember = 26 ^ 31 = 145.7 bits of entropy
and
Tr!ckY0n3 = 74.9 bits of entropy
Moore’s law and the arrival of quantum computing notwithstanding, testing every combination against 145.7 bits of entropy will still take several lifetimes of the universe to achieve … for now.
Entropy is Not Everything
Computers, like people, can get lucky.
A 31-character, lowercase password has:
73,143,171,433,403,393,900,724,146,770,015,259,539,275,776
… potential combinations. But the computer doesn’t need to get through all the combinations, it just needs to match the right one. Since the National Lottery began in 1994, there have been around 3,000 draws (again, as of early 2025). The vast majority of people have not won and never will. But someone did, on the very first day.
The likelihood that the last random string tested is the right one is every bit as unlikely as it will be the first.
Further, passwords are seldom random.
Consider:
Password123!
It’s 12 characters long, it uses a combination of characters, digits and special characters. It’ll pass many password strength tests. It even has a very respectable entropy score of 98.28 … but no one would ever recommend you use it as a secure password.
Computers are Not Everything
We have a client who uses passwords like this (including, where he can, the spaces):
So we beat on, boats against the current, borne back ceaselessly into the past
Mind-bendingly complex, entropy through the roof.
But if you know the man, know he loves F. Scott Fitzgerald, and you want to get at his goodies, you’re a country mile ahead of any computer when it comes to making guesses.
A combination of human ingenuity and computer-processing firepower means the vast majority of passwords are fallible.
Computers May Not Even Need to Crack Your “Secure Password”
Although any responsible developer will encrypt every password they store, Black hats have been hacking passwords for as long as there have been passwords. Being community-minded folk, they share the hashed and encrypted values online – if a hacker can access your hashed password, a simple Google search might reveal the password in seconds.
As of January 2025, Google appear to have stopped publishing cracked passwords on page one, but they won’t be hard to find.
So What Can You Do?
As a Web User
The laws of entropy suggest you need ever longer, more complex passwords. Any security advice ever will strongly advise that you use a different password for every service.
Keeping a password memorable by necessity makes it less random, therefore, potentially less secure. Yet the numbers of separate passwords you need to operate online is simply staggering.
Today, at a guess, I have logged into my phone, Scrabble, DuoLingo, my laptop, my desktop, Monday.com, Zoom, Facebook, Twitter, LinkedIn, WordPress, Plesk and so on and so on.
Get a hold of a password manager: Windows, MacOs, Android and IOs all have excellent built-in password managers, they’ll generate and remember strong, unique passwords for you. Trust your password manager and then set up a really good, strong, secure password to access that.
Get it right, and you’ll only need to remember the one password.
As a Website Owner
People are great. Maybe only one in a thousand is an idiot. But if you’re lucky enough to have 30,000 users on your system, that’s 30 idiots.
It only takes one.
Hackers are clever. From a technical point of view, they probably know more about your website than you do. once they’re inside, it takes a professional to gauge the damage they can do.
Securing your site and your data has never been more important.
Passwords may well be on their way out, biometric controls, multi-factor authentication, single use codes all offer enormous enhancements over the traditional username/password combination. You need a developer who can help you implement real server security.
You need Little Fire Digital, contact us.