**By Dev Tools Weekly** | password-generator.co
Entropy requirements, 2FA guide, and a ready-to-use policy template.
Password Strength — The Math
Entropy Formula
Entropy (bits) = log₂(pool_size ^ length)
= length × log₂(pool_size)
Character Pool Sizes
| Character Set | Pool Size | Entropy/char |
|---|
| Digits only (0-9) | 10 | 3.32 bits |
| Lowercase (a-z) | 26 | 4.70 bits |
| Lower + upper | 52 | 5.70 bits |
| Lower + upper + digits | 62 | 5.95 bits |
| All printable ASCII | 95 | 6.57 bits |
| Diceware word list | 7,776 | 12.9 bits/word |
Strength Thresholds
| Entropy | Rating | Time to Crack (10B guesses/sec) |
|---|
| < 28 bits | Very weak | Instant |
| 28-35 bits | Weak | Minutes |
| 36-59 bits | Fair | Hours to days |
| 60-79 bits | Strong | Years |
| 80-99 bits | Very strong | Centuries |
| 100+ bits | Excellent | Heat death of universe |
Examples
| Password | Entropy | Rating |
|---|
password | ~0 (dictionary) | 💀 Terrible |
P@ssw0rd | ~0 (common mutation) | 💀 Terrible |
Tr0ub4dor&3 | ~28 bits | ⚠️ Weak |
correct horse battery staple | ~44 bits (4 words) | ✅ Fair |
j7#kL9$mQ2&pR5 (15 random) | ~98 bits | 💪 Very strong |
6 random diceware words | ~77 bits | 💪 Very strong |
2FA / MFA Quick Guide
Methods Ranked (Security)
| Method | Security | Convenience | Notes |
|---|
| **Hardware key** (YubiKey, Titan) | ★★★★★ | ★★★ | Phishing-resistant. Best option. |
| **Passkey** (FIDO2/WebAuthn) | ★★★★★ | ★★★★ | Biometric + device-bound. The future. |
| **TOTP app** (Authy, Google Auth) | ★★★★ | ★★★★ | 6-digit rotating codes. Very good. |
| **Push notification** (Duo, MS Auth) | ★★★ | ★★★★★ | Convenient but vulnerable to fatigue attacks. |
| **SMS OTP** | ★★ | ★★★★★ | SIM-swap vulnerable. Better than nothing. |
| **Email OTP** | ★★ | ★★★★ | Email compromise = game over. |
| **Security questions** | ★ | ★★★ | Answers are guessable/public. Avoid. |
TOTP Setup Checklist
- [ ] Install authenticator app (Authy, 1Password, Bitwarden)
- [ ] Scan QR code from service
- [ ] **Save backup codes in a secure location** (password manager, printed in safe)
- [ ] Verify by entering a code
- [ ] Test recovery flow before you need it
Password Policy Template
Copy and customize for your organization.
[Company Name] Password Policy
Effective Date: ___________
1. Password Requirements
- **Minimum length:** 14 characters (16+ recommended)
- **Maximum length:** At least 64 characters must be supported
- **Complexity:** No complexity rules if length ≥ 14 (per NIST SP 800-63B)
- **Blocked passwords:** Must check against known breached password lists
2. Password Manager
- **Required:** All employees must use an approved password manager
- **Approved options:** [1Password / Bitwarden / Keeper]
- **Master password:** Must be a passphrase of 5+ words or 20+ characters
- **Sharing:** Use password manager sharing features, never plaintext
3. Multi-Factor Authentication
- **Required for:** All accounts (company email, cloud services, admin tools)
- **Preferred methods:** Hardware security key or TOTP app
- **SMS 2FA:** Acceptable only where no other option exists
- **Backup codes:** Must be stored in password manager or physical safe
4. Password Rotation
- **Do NOT force periodic rotation** (per NIST 800-63B guidelines)
- **Rotate immediately when:** breach suspected, employee departure, shared credential compromise
- **Service accounts:** Rotate every 90 days via automated secret management
5. Prohibited Practices
- ❌ Sharing passwords via email, chat, or text
- ❌ Storing passwords in spreadsheets, documents, or sticky notes
- ❌ Reusing passwords across services
- ❌ Using personal passwords for work accounts
- ❌ Saving passwords in browsers (use password manager instead)
6. Incident Response
- Report suspected compromise to IT immediately
- Change affected password(s) within 1 hour
- Enable 2FA on compromised account if not already active
- Review account activity for unauthorized access
NIST 800-63B Key Recommendations (2024)
The latest NIST guidelines have changed significantly:
| Old Rule | New NIST Guidance |
|---|
| Require complexity (uppercase, symbols) | ❌ Don't require — increases predictable patterns |
| Force rotation every 90 days | ❌ Don't force — only on evidence of compromise |
| Minimum 8 characters | ✅ Minimum 15+, support at least 64 |
| Security questions | ❌ Don't use — answers are guessable |
| SMS for 2FA | ⚠️ Restricted — use only as last resort |
| Check against breached lists | ✅ Required — block known compromised passwords |
| Allow paste in password fields | ✅ Required — supports password managers |
Password Manager Comparison
| Feature | 1Password | Bitwarden | KeePass |
|---|
| **Price (personal)** | $3/mo | Free / $1/mo | Free |
| **Price (team)** | $8/user/mo | $4/user/mo | Free |
| **Open source** | ❌ | ✅ | ✅ |
| **Self-host option** | ❌ | ✅ | ✅ (local file) |
| **Browser extension** | ✅ | ✅ | Via plugin |
| **Mobile app** | ✅ | ✅ | Via KeePassDX |
| **Passkey support** | ✅ | ✅ | ❌ |
| **Secret sharing** | ✅ | ✅ (paid) | ❌ |
| **Emergency access** | ✅ | ✅ (paid) | Manual |
Breach Check Resources
| Resource | URL | What It Does |
|---|
| Have I Been Pwned | haveibeenpwned.com | Check if email/password appeared in breaches |
| HIBP API | api.pwnedpasswords.com | k-anonymity API for password checking (safe) |
| Firefox Monitor | monitor.firefox.com | Breach alerts |
| Google Password Checkup | passwords.google.com | Check saved passwords |
🛠 Generate strong passwords instantly: password-generator.co
📧 More cheat sheets: Dev Tools Weekly Newsletter