Password strength — what actually determines it and what doesn't

Password strength meters are everywhere. They reward you with green bars and 'Very Strong' labels for passwords that would be cracked quickly with modern tools, and penalise simple-looking passphrases that are actually highly resistant to attack. The metrics that strength meters typically measure — character variety, absence of common patterns, presence of symbols — are only loosely correlated with the property that actually matters: how many guesses an attacker needs to make before finding your password.

The gap between intuitive 'strength' and cryptographic strength has real consequences when vault data is stolen. The 2022 LastPass breach put encrypted vault backups in attacker hands. Whether those vaults are at practical risk depends almost entirely on one factor: the entropy of the master password — a function of how many bits of randomness it contains, which determines the brute-force search space.

Password managers generate passwords with genuine randomness. Human-chosen passwords, even ones that feel complex, rarely have the entropy they appear to.

The most persistent assumption is that character substitution — replacing 'a' with '@', 'e' with '3', 'o' with '0' — meaningfully increases password strength. Attacker dictionaries include these substitutions. 'P@ssw0rd' is cracked before 'password' only in the sense that it takes a small number of additional guesses. The search space increase from common substitutions is trivially small compared to the search space increase from adding length.

A second assumption is that memorable passwords based on personal information — names, dates, places — provide reasonable security because an attacker doesn't know your personal history. For targeted attacks this is partially true; for the large-scale credential cracking that follows mass breach data theft, passwords are cracked through exhaustive dictionary and pattern searches, not personal research. Personal information in passwords reduces the search space because it draws from predictable categories.

A third assumption is that a password that passes a strength meter at 'Very Strong' is suitable for a master password. Strength meters score against password cracking dictionaries — they measure how a password performs against known attack patterns. They don't directly measure entropy, don't account for the specific KDF and iteration count protecting the vault, and were typically designed for web login contexts where rate limiting applies, not for offline brute-force on stolen vault data where rate limiting doesn't.

Entropy — the randomness measure of a password — is determined by how many possible passwords could have been generated using the same method. A password generated by choosing 5 words randomly from a 7,776-word list (standard diceware) has approximately 65 bits of entropy. A 20-character random alphanumeric password has approximately 119 bits. Both are resistant to brute-force with modern hardware given adequate KDF iteration counts. A personally chosen password based on meaningful information or common patterns may have 20-30 effective bits of entropy regardless of its apparent complexity.

For a password manager master password specifically, the relevant threat is offline brute-force on stolen vault data. The economics: an attacker with a stolen vault and modern GPU hardware can test millions of password candidates per second against PBKDF2 at low iteration counts. At 600,000 iterations (LastPass's current default), this slows to thousands per second. Argon2 at high memory-cost parameters slows it further. Against 65 bits of entropy, neither PBKDF2 nor Argon2 provides practical protection if the password can be guessed within the search space the method allows.

Password managers generate passwords correctly. The generator's output — which uses cryptographic randomness to select characters from defined sets — has predictable entropy based on the length and character set. A 20-character password from Bitwarden's default generator has approximately 116-119 bits of entropy regardless of what it looks like. This is why generated passwords are appropriate for all credentials except the master password, which must be memorable.

Entropy as described here measures resistance to offline brute-force. Online brute-force — guessing passwords on a live login form — is limited by rate limiting, account lockout, and CAPTCHA. Different strength thresholds are appropriate for different attack vectors. A 10-character password with 60 bits of entropy is adequate for an online service with account lockout; it is inadequate for a master password protecting a vault that may be subject to offline attack.