.png){kind=small}
Passwords: entropy vs complexity (and why length wins)
- Dalton Dullaghan
- 2 days ago
- 2 min read
We’re often told to make passwords “complex”: add capitals, numbers and symbols. That looks secure, but it isn’t the full story. What really keeps attackers out is entropy — the actual unpredictability of your password. Here’s a plain-English guide.....
What “complexity” means
Complexity is about rules. For example: “at least 8 characters, one capital, one number, one symbol.”People follow those rules in predictable ways — swapping a → @, s → $, or sticking 1! at the end. Attackers know these habits and build them into their tools. So a short, “complex-looking” password can still be quick to crack.
Example: P@ssw0rd! ticks the boxes, but it’s common and predictable.
What “entropy” means
Entropy is about randomness — how hard a password is to guess, even with powerful computers. More entropy comes from length and unpredictable choices.
Example: correct horse battery staple looks simple, but four unrelated words are far harder to guess than a short jumble with obvious substitutions.
The practical takeaway
Length beats clever punctuation. A longer, memorable passphrase (four or five random words) is usually stronger than a short, fiddly string. If you must use symbols, sprinkle them in unexpected places — but don’t rely on them alone.
Simple rules that actually work
Use a password manager to create and remember long, unique passwords for every site. Turn on multi-factor authentication (MFA) wherever possible. Prefer passphrases you can remember (e.g., porridge-canvas-lamp-window) over short “complex” ones. Avoid personal info (names, dates, pets) and predictable tweaks (Summer2025!, Password1!).Change passwords when there’s a sign of compromise or a breach — not on an arbitrary schedule that encourages weak patterns.
Quick examples
Weak (short + predictable): Summer2025!Better (long + random words): porridge-canvas-lamp-window. Best (manager-generated and unique): ajC7mZP4vQ9nK2wH… (you never have to memorise it)
For your organisation
Give staff a password manager and set a minimum length (aim for 14–16+ characters).Enable MFA on email, VPN, finance apps and anything sensitive. Offer a short refresher: “Go for length, use a manager, turn on MFA. ”Stop forcing monthly resets; focus on unique, long, and monitored.
Bottom line: Complexity rules make passwords look fancy. Entropy makes them strong. Choose length and randomness, back it up with a password manager and MFA, and you’ll be far better protected.