This is an extra post to accompany “Absurd Password Lengths and the Computational Limits of Humanity”, which focused on passwords that use the full printable ASCII set. The equivalent recommendations for other character sets are as follows.
Recall that these bit levels are from the limits computed in the main post for an attack over one year.
- 35 bits – A typical online attack
- 74 bits – A lone hacker
- 87 bits – A state actor
- 98 bits – The global computing power
- 128 bits – The maximum security provided by many common encryption methods
- 188 bits – An ideal Matrioshka brain using the Sun
- 226 bits – An ideal Matrioshka brain using the entire Milky Way
- 256 bits – The security of the most secure common encryption methods
For example, you need 25 random alphanumeric characters to reach 128 bits of entropy.
| Character set | 35 bits | 74 bits | 87 bits | 98 bits | 128 bits | 188 bits | 226 bits | 256 bits |
|---|---|---|---|---|---|---|---|---|
Digits 0-9 | 11 | 23 | 27 | 30 | 39 | 57 | 69 | 78 |
Hexadecimal 0-9A-F | 8 | 17 | 20 | 22 | 29 | 43 | 51 | 58 |
Alpha a-z | 8 | 16 | 19 | 21 | 28 | 40 | 49 | 55 |
Alphanumeric a-z0-9 | 7 | 15 | 17 | 19 | 25 | 37 | 44 | 50 |
Case-sensitive Alpha a-zA-Z | 7 | 13 | 16 | 18 | 23 | 33 | 40 | 45 |
Case-sensitive Alphanumeric a-zA-Z0-9 | 6 | 13 | 15 | 17 | 22 | 32 | 38 | 43 |
Case-sensitive Alphanumeric and Basic Symbols a-zA-Z0-9!@#$%^&*-_.? | 6 | 12 | 15 | 16 | 21 | 31 | 37 | 42 |
| Printable ASCII (without space) | 6 | 12 | 14 | 15 | 20 | 29 | 35 | 40 |
| Printable ASCII | 6 | 12 | 14 | 15 | 20 | 29 | 35 | 39 |