Calculate the entropy (strength) of a password in bits based on character set size and length.
NIST SP 800-63B retired complexity rules — focus on length. 60 to 80 bits for ordinary web accounts, 128 bits for encryption keys, 256 bits if you want margin against future quantum attacks.
Only slightly. Doubling the password length adds far more entropy than adding a special character. Length dominates the entropy formula.
A four-word random passphrase from a 7,000-word list packs roughly 50 bits of entropy and beats a short complex password on typing ease. Short "complex" passwords? They're shorter, sure, but often more predictable.
Crack time ≈ search space / guess rate. Search space = charset^length. Guess rate varies by attack: 1 M / s for online, 1 B / s for GPU offline, 1 T / s for nation-state hardware.