« Your password must contain 8 characters, an uppercase letter, a lowercase letter, a number, and a special character. »
We all know this rule. And yet, in cybersecurity, this is what we call “security theater.” A password like P@ssw0rd1! complies with all these rules, but will be cracked in the blink of an eye by any modern hacking software.
True security does not rely on arbitrary visual rules, but on an unforgiving mathematical reality: entropy.
Entropy according to Claude Shannon
To understand the strength of a password, we must look to Claude Shannon, the father of information theory. Entropy measures the degree of uncertainty or unpredictability of information.
Applied to passwords, entropy is calculated in bits. The higher the number of bits, the more unpredictable the password is for a computer. The simplified formula for the entropy (E) of a randomly generated password is:
E = L × log2(R)
- L is the length of the password.
- R is the pool size (26 for lowercase, 62 with uppercase and numbers, 94 with symbols).
Increasing the pool size (adding symbols) increases entropy, but increasing the length (adding characters) increases it much more drastically. However, length only beats complexity on one condition: the password must be generated completely randomly.
Brute Force vs. Dictionary Attack
If you use words or predictable structures, the rule of pure length collapses.
Hacking software does not try all letter combinations one by one (this is called Brute Force). They use massive databases containing billions of existing words, common phrases, and past data leaks. This is the Dictionary Attack.
If your password is long, but composed of dictionary words or predictable substitutions, its actual entropy is dramatically lower than its theoretical mathematical entropy.
Here are the estimated cracking times against a cluster of modern graphics cards (GPUs), highlighting the fastest route found by exploiting structural weaknesses in bold:
| Password | Theoretical Entropy | Against Brute Force | Against a Dictionary |
|---|---|---|---|
password123 | ~15 bits | A few hours | Instantaneous |
S3cr3t!99 | ~40 bits | A few years | A few hours / days (via mutations) |
correct horse battery staple | ~130 bits | Billions of years | A few hours / days |
gL7!pQ9z#vX2 | ~78 bits | ~3,000 years | Failure (Back to brute force) |
The Illusion of Leetspeak and Mutation Rules
Take the example S3cr3t!99. Visually, it looks complex and robust. Yet, it is simply the dictionary word “secret”, where the ’e’s have been replaced by ‘3’s, to which a very common suffix has been added (!99). This is called leetspeak.
Against a dictionary attack, this password will only hold up for a few hours, or even minutes. Modern cracking software (like Hashcat) does not just test static word lists; they automatically apply mutation rules. They will take every word in their dictionary, test all possible leetspeak combinations, swap uppercase letters, and append years or symbols. Leetspeak provides a false sense of security.
The Keyboard Shift Trick
To complicate a memorable phrase, some use the keyboard layout shift trick. For example, you memorize a phrase like my-cat. But when typing it, you place your fingers on a physical QWERTY keyboard while having your operating system configured to AZERTY (French).
- The intended word:
my-cat - The typed result:
,y)cqt(The ’m’ key becomes ‘,’; the ‘-’ becomes ‘)’; the ‘a’ becomes ‘q’).
Is this a good OPSEC idea? No, this method is not enough if used alone. Just like with leetspeak, advanced cracking software integrates hardware mutation rules that automatically test international keyboard shifts (QWERTY, AZERTY, QWERTZ, Dvorak). In OPSEC, this is security by obscurity: it delays an amateur attacker, but will not stop a targeted and equipped attack.
However, if this technique is coupled with a password that is already strong at its core (like a very long memorable passphrase), it significantly increases the entropy again by introducing unexpected special characters within an already robust structure.
Constructing the Ideal Password (~250 bits)
If word lists, leetspeak, and typing tricks have their limits, how do we build the perfect master password? To achieve optimal security and resist next-generation computing tools, the current goal is to target around 250 bits of entropy.
There are two ways to achieve this depending on your needs:
1. The Purely Random Option (Ideal for a password manager)
A character string generated entirely randomly, making it extremely difficult for a machine to guess:
k9$Yz2!pL#8vQx5@mN7*jW4&hC1%bF3^tR9(dZ6
39 random characters using the entire symbol pool.
2. The Hybrid Passphrase Option (Ideal for a memorable master password)
A sequence of randomly generated dictionary words, strictly combined with numbers and symbols:
Sovereign_Crypto_99_Privacy_Zero_Knowledge_Secure_2026_Key_Lock_Cloud_Act_Grover
This method allows a human to memorize a structure visually or muscularly, while maintaining a gigantic mathematical barrier.
The Quantum Threat: Grover’s Algorithm
Why aim for 250 bits when 128 bits already block today’s supercomputers? The answer lies in the advent of quantum computing.
In cryptography, Grover’s algorithm allows a quantum computer to search an unsorted database much faster than a classical computer. Concretely, Grover effectively halves the security level of a symmetric key or a password.
Against a quantum computer running Grover’s algorithm, a password with an entropy of 128 bits will only offer a resistance equivalent to 64 bits (which becomes crackable).
Consequently, to maintain true 128-bit security in a post-quantum world, it is necessary to double the initial entropy. This is one of the pillars of the Harvest Now, Decrypt Later (HNDL) concept: state attackers vacuum up encrypted data today to break it tomorrow. Aiming for 250 bits of entropy is the minimum standard to protect your master keys in the long term.
Arpokrat Password Generator: Test it yourself
Do not leave the security of your access to chance. We have developed an internal tool that allows you to generate cryptographically robust passwords (including post-quantum), and above all to evaluate the real entropy of your own passwords.
Test your current passwords to see if they would withstand modern computing power. The tool works 100% locally in your browser, no data is circulated on the network.
The Final Weak Link: Recycling and Access Management
Mathematical entropy does not protect against human error. A 250-bit password is useless if it is reused on multiple sites (an attack called Credential Stuffing) or if it is not protected by a second authentication factor (2FA).
The golden rule of digital hygiene is to only have to remember one single password: your 250-bit master password (in the form of a hybrid passphrase). All your other accesses (bank, social networks, servers) must use unique passwords of 250 bits of pure entropy (the random character strings) generated specifically for them.
To store and manage this volume of keys impossible to remember in your head, the use of a Zero-Knowledge password manager is essential. One of the best current standards is Proton Pass. Based in Switzerland, open-source and end-to-end encrypted, it guarantees that even its own engineers cannot read the contents of your vault. It is the ideal companion to store the ultra-powerful keys generated by Arpokrat, locking your entire digital life behind a true mathematical barrier.