design6 min read
Understanding Color Formats: HEX, RGB & HSL
Why screens mix red, green, and blue light, what HEX shorthand really encodes, and when HSL makes your life easier.
Read
TC
generator6 min read
Password Entropy: What Makes a Password Strong
Is P@ssw0rd! a strong password? It has uppercase, lowercase, numbers, and a symbol — so it must be secure, right? Not even close. An attacker cracking passwords doesn't care about your exclamation mark. What matters is entropy — the mathematical measure of how unpredictable your password actually is.
What entropy means
Password entropy is measured in bits. Each bit doubles the number of guesses an attacker needs to try. The formula is straightforward:
Entropy = log2(pool_size ^ length)
= length × log2(pool_size)
Example: 12 lowercase letters
pool_size = 26
entropy = 12 × log2(26) = 12 × 4.7 = 56.4 bitsThe pool size is the number of possible characters in each position. Lowercase letters give you 26, adding uppercase doubles it to 52, digits add 10, and symbols add another 32 or so. But here's the key insight: length is an exponent while pool size is just a base. Doubling the length has a far greater impact than doubling the character set.
Entropy comparison table
| Configuration | Pool | Length | Entropy | Strength |
|---|---|---|---|---|
| Lowercase only | 26 | 8 | 37.6 | Weak |
| Mixed case | 52 | 8 | 45.6 | Fair |
| All characters | 95 | 8 | 52.6 | Moderate |
| Lowercase only | 26 | 12 | 56.4 | Good |
| All characters | 95 | 12 | 78.8 | Strong |
| All characters | 95 | 16 | 105.1 | Excellent |
| Passphrase (4 words) | 7776 | 4 | 51.7 | Moderate |
| Passphrase (6 words) | 7776 | 6 | 77.5 | Strong |
Key takeaway: A 12-character lowercase password (56.4 bits) is stronger than an 8-character password with every character type (52.6 bits). Length wins.
How attackers crack passwords
Understanding attack methods explains why entropy matters more than complexity rules:
- Brute force — tries every possible combination. Speed depends on hardware — a modern GPU can test billions of hashes per second against weak algorithms like MD5.
- Dictionary attacks — tries common words, names, and known passwords.
P@ssw0rd!falls in seconds because it's a predictable substitution of a dictionary word. - Credential stuffing — uses leaked username/password pairs from breaches. If you reuse passwords across sites, one breach compromises all your accounts.
NIST 2024 guidelines
The US National Institute of Standards and Technology updated its password guidance, and the changes surprised many:
- No forced rotation — changing passwords every 90 days leads to weaker passwords (people append numbers:
MyPass1,MyPass2) - No complexity rules — requiring uppercase + symbol + number doesn't help when users pick predictable patterns
- Check against breach lists — reject passwords that appear in known data breaches (services like Have I Been Pwned provide these lists)
- Minimum 8 characters, recommend 15+ — length is the primary strength factor
Password managers vs memorised passwords
A password manager generates and stores a unique, high-entropy password for every account. You only need to memorise one strong master password. This approach solves two problems at once: each password has maximum entropy, and no password is reused across sites.
For the master password itself, a passphrase — four to six randomly chosen words — is the best balance of security and memorability. correct horse battery staple is a classic example, though you should always generate your passphrase randomly, never pick words yourself.
The strongest password is one you never need to remember. Let a password manager handle entropy — your job is just to protect the master key.
More Articles
image7 min read
PNG vs JPG vs WebP: When to Use Each Image Format
Lossy vs lossless compression, when transparency matters, and why WebP is replacing both PNG and JPG on the web.
Read
image8 min read
How Image Compression Actually Works
What happens when you drag the quality slider, how DCT transforms photos, and why screenshots compress differently.
Read