Tech

Password Strength Checker: What Makes a Password Actually Strong

By David Brown · February 2026 · 3 min read

Password strength isn't about special characters. It's about entropy — the number of possible combinations an attacker would have to try to crack it by brute force.

How Entropy Works

Entropy = log2(character set size ^ password length)

A 8-character password using lowercase letters only (26 characters):

log2(26^8) = 8 × log2(26) ≈ 37.6 bits of entropy

Same length with uppercase, lowercase, numbers, and symbols (~94 characters):

log2(94^8) ≈ 52.4 bits of entropy

A 16-character lowercase-only password:

log2(26^16) ≈ 75.3 bits of entropy

The 16-character simple password is dramatically stronger than the 8-character complex one, even though it looks "simpler."

Why Length Beats Complexity

Adding one character to a password multiplies the search space by the size of the character set. Adding special characters to the rules increases the character set by perhaps 30 characters — multiplying the space by ~1.3x per character used.

Going from 8 to 16 characters multiplies the search space by 26^8 ≈ 200 billion times (for a lowercase-only password). No addition of special characters gets close to that improvement.

The Passphrase Approach

Four random common words: "correct horse battery staple" (the famous XKCD example).

Assuming a 2,000-word common word list: log2(2000^4) ≈ 43.9 bits of entropy — comparable to a random 8-character password with full character set, and far easier to remember.

With a larger dictionary (10,000 words): log2(10000^4) ≈ 53.2 bits — and it's still memorable.

What Actually Gets Passwords Cracked

Modern attackers rarely brute-force character combinations. They use:

  1. Breached databases — your password from a past leak
  2. Dictionary attacks — common words, names, dates, common substitutions (@ for a, 0 for o)
  3. Password patterns — "Word+Year+!" is not random

A unique, randomly generated password (via a password manager) for each site defeats all three.

[Check your password strength →](https://doesitaddup.com)

Try it yourself: All free calculators at doesitaddup.com →

This article is for informational purposes only. See our disclaimer.