LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

If a system uses strong encryption, why is a user's password so often the weakest link?

Passwords carry far less entropy than crypto keys, and — unlike keys — they are routinely brute-forced. A 12-character "complex" password is only ~72 bits; matching a 128-bit key would take ~22 fully random characters that nobody can memorize.

Entropy of a strong password vs a crypto key

* A "12-char complex" password (72 bits) is no match for even a 128-bit key. *

Cryptographic strength is measured in bits of entropy — how many equally-likely possibilities an attacker must search. Keys and passwords sit on very different scales:

  • A random 128-bit key needs about 22 Base64 characters (≈ 39 decimal digits) to reach the same entropy — far more than anyone memorizes.
  • A "strong-looking" 12-character password with upper/lowercase, digits and symbols is only about 72 bits. Against brute force that is $2^{256}/2^{72} = 2^{184} \approx 10^{55}$ times weaker than a 256-bit key.
  • The decisive difference: brute-forcing a crypto key is physically hopeless, but brute-forcing passwords is everyday practice (leaked hash databases, online guessing, dictionary attacks). So the password — not the cipher — is what attackers actually grind on.

This is why a 256-bit AES key behind a guessable password buys you nothing: the attacker skips the unbreakable math and goes straight for the human-chosen secret. Use a password manager or a long passphrase, and protect the key store itself — the chain is only as strong as its weakest secret.

Go deeper:

From Quiz: KRYPTOG / Key Sizes and Conclusion | Updated: Jul 14, 2026