Generated password strength
| Attack scenario | Time to crack |
|---|---|
| Online (throttled) | |
| Offline β strong hash | |
| Offline β weak hash (MD5) |
Password entropy measures how unpredictable a password is β the higher the number of bits, the harder it is to guess by brute force. It depends on two things: how many possible characters could appear at each position (the character pool), and how long the password is. Doubling the length or significantly expanding the character set both increase entropy, but length tends to have the larger effect. The crack time estimates show how long it would take an attacker to work through every possible combination at realistic speeds β from a cautious online attack to a large-scale offline operation against a poorly-protected database. A password that takes centuries to crack online can fall in minutes if the database storing it uses a weak hashing algorithm, which is why password managers and unique passwords per site matter as much as complexity.