What actually makes a password unbreakable (and what doesn't)

In 2003 a NIST employee named Bill Burr wrote a guidance document that gave us 90-day rotations, mandatory uppercase, mandatory numbers, and the special-character rule. In 2017 he publicly apologised. The math says he was wrong, and the math hasn't changed since.

FOLIOKIT · MAY 2026

The only number that matters: entropy

Password strength is one number: entropy, measured in bits. Bits of entropy is just "how many guesses an attacker has to make, on average, expressed as a power of two." 40 bits means 2⁴⁰ guesses, which is a trillion. 80 bits means 2⁸⁰, which is more guesses than there are grains of sand on Earth.

The formula is straightforward when the password is randomly generated:

That's it. The entire field of password strength measurement, in two lines. Notice what the formula tells you. Length is multiplicative. Character-set size is logarithmic. Adding one character to your password adds the full log₂ of the alphabet size. Adding one new character class — say, going from lowercase-only to lowercase-plus-numbers — only changes the base of the logarithm.

The math, applied

The 25-character all-lowercase passphrase ("correcthorsebatterystaple," from the famous xkcd comic) has roughly twice the entropy of the 11-character "Tr0ub4dor&3" — even though one looks like a hacker movie prop and the other looks like a children's book. Length wins, by a lot. Always.

What attackers actually do

Real attackers don't sit there typing "aaaa, aaab, aaac." They use three techniques, in this order:

1. Credential stuffing

Take a list of breached username/password pairs from one site (Yahoo, LinkedIn, Adobe, Equifax — billions are floating around) and try them on every other site. This works because most people reuse passwords. The single biggest password-security upgrade you can make is using a unique password for every account. Length and complexity don't matter if the password also exists in a leak.

2. Dictionary attacks with mutations

Take a wordlist — common passwords, English words, names, sports teams, song lyrics — and try common mutations: capitalize the first letter, add a digit on the end, swap "a" for "@", add an exclamation point. The "P@ssw0rd!" that satisfies your IT policy is in every cracker's first thousand guesses. Most leetspeak substitutions add fewer than 3 bits of real entropy each.

3. Brute force

Only used when the first two fail. Modern GPUs can compute roughly 10¹¹ MD5 hashes per second per card; a small cluster handles 10¹². At that rate, brute-forcing an 8-character random password from the full 95-char set (~52 bits, 4.5 quadrillion combinations) takes hours to days. A 12-character random password (~79 bits) takes longer than the age of the universe.

The 1990s rule of thumb — "8 characters with mixed case and a digit" — is fine if your goal is keeping your kid sister out of your AOL account. It is grossly insufficient against a modern adversary.

The retired rules

NIST Special Publication 800-63B, last updated in 2024, formally retired the rules most IT departments still enforce:

What NIST recommends instead: minimum 8 characters (15+ for high-value accounts), screen against breached-password lists like Have I Been Pwned, allow all printable characters including spaces, do not truncate, do not impose composition rules, and only force a change on evidence of compromise.

The actual answer is a password manager

Once you accept that (a) every account needs a unique password, (b) the password should be long, and (c) length beats memorability — you've ruled out remembering them. A password manager (Bitwarden, 1Password, Apple's built-in one, Google's built-in one) generates a 20+ character random password per site and remembers it for you. You memorize one master password and turn on multi-factor authentication on it.

That's the modern setup. Everything else is theater.