How many bits of entropy should a Bitcoin wallet password have?

For Bitcoin Core which uses a slow SHA-512 + AES round count, 80 bits of entropy gives practical safety against a hobbyist attacker for the next twenty years, 100 bits defeats commercial GPU farms through 2050, and 128 bits is robust against plausible nation-state attackers for the foreseeable future. 80 bits equates to a 14-character random mixed-case + digit string or a 7-word Diceware passphrase.

Is a long passphrase better than a short random password?

It depends entirely on entropy per character. A 20-character passphrase like 'correcthorsebatterystaple' has roughly 85 bits of entropy from 11 random words, which is fine. But 'mysister1978bornindallas' has under 40 bits because the attacker's dictionary knows names, years, and US cities. A 12-character genuinely random mixed-case + digit + symbol string has 78 bits — roughly equivalent safety to the 7-word passphrase and harder to remember. Both work; patterned 'long' passwords do not.

Does the BIP39 25th word passphrase need the same entropy as a wallet password?

More, actually. The BIP39 optional passphrase is fed directly into PBKDF2-HMAC-SHA512 with only 2048 iterations, which is cheap to brute force on GPUs (millions of attempts per second). And unlike a wallet password, it cannot be reset because a different passphrase simply derives a different valid wallet. For a 25th word to add real security, aim for at least 100 bits of entropy — a 7-word Diceware phrase is the minimum, 9 words preferred.

Why does hashcat speed vary so much between wallet modes?

Because different wallets use different key derivation functions with wildly different compute and memory costs. Electrum mode 16600 uses PBKDF2-HMAC-SHA256 with 1024 iterations — cheap — so GPUs hit 4.5 MH/s per 3090. Ethereum Scrypt mode 15700 uses Scrypt N=262144 which is both compute and memory hard, limiting the same GPU to 900 H/s. A password with 50 bits of entropy falls to Electrum in under three hours on one card and lasts 18 years against Scrypt on the same card.

Can quantum computers break wallet passwords?

Not in ways that matter for password choice. Grover's algorithm provides a quadratic speed-up for symmetric-key brute force, effectively halving the bit strength of a password. A 128-bit-entropy password becomes a 64-bit target for a fault-tolerant quantum computer, which is still around five million years of current classical work. The bigger quantum threat is to ECDSA, not to your KDF; wallets that have never signed a transaction are much safer than wallets whose public keys have already been revealed.

Crypto Wallet Password Strength

Most password advice is folklore. "Use 12 characters with a symbol" is meaningless without specifying against what attacker, for what KDF, over what time horizon. This guide gives you the actual numbers so you can choose a password that is as strong as it needs to be and no stronger than you can remember.

The only concept that matters: entropy

A password's strength is measured in bits of entropy. An attacker who knows your password's generation process — "random from an alphabet of 62 characters, length 10" — needs on average 2^(n-1) guesses to find it, where n is the entropy bits. The formula:

entropy_bits = length × log₂(alphabet_size)

Example: 10 random characters from [a–z, A–Z, 0–9] (alphabet 62) gives 10 × log₂(62) ≈ 10 × 5.95 = 59.5 bits.

The trick is the word random. A password like Password123! has 12 characters and 72 bits of apparent entropy, but an attacker's smart dictionary tries it within the first thousand candidates. Its real entropy is closer to 10 bits. The same length generated truly randomly gives 72 bits and takes until 2050 to brute force on a serious rig.

The attacker models

Attacker	Budget	MD5/SHA1 H/s	Scrypt H/s
Hobbyist, 1 GPU	$1,500	60 GH/s	1 KH/s
Recovery service, 10 GPUs	$25,000	600 GH/s	10 KH/s
Commercial farm, 100 GPUs	$250,000	6 TH/s	100 KH/s
Nation-state, 100k ASICs/GPUs	$1 B	6 EH/s	1 GH/s

Bitcoin's own network hashrate sits around 600 EH/s in 2026, so "nation-state" in this table is actually conservative — you can rent that scale today from the right ASIC pool, though only for SHA-256. For password KDFs the real ceiling is roughly 10 EH/s on fast modes.

How long does your password survive?

The time to exhaust a keyspace of N candidates is N / rate / 2 on average (half the space by the birthday pigeonhole). For an 80-bit-entropy password against various attackers on a fast hash (SHA-256):

Attacker	80 bits	100 bits	128 bits
Hobbyist 60 GH/s	320,000 years	330 million yrs	heat death
Service 600 GH/s	32,000 years	33 million yrs	heat death
Farm 6 TH/s	3,200 years	3.3 million yrs	8 × 10^19 yrs
Nation 6 EH/s	3.2 years	3.3 million yrs	8 × 10^13 yrs

Key takeaway: 80 bits is enough against a recovery-service-scale attacker but not a nation-state on a fast KDF. 100 bits survives everyone on fast KDFs for millions of years. 128 bits is universally safe.

Slow KDFs are your friend

The attacker speeds above assume a bare hash. Modern wallets do not hash your password once — they run it through a key derivation function designed to be slow. This turns every attacker's effective rate down by the KDF's cost multiplier.

Wallet / KDF	Cost factor vs SHA	3090 rate	Equivalent bits
Electrum 1024 PBKDF2-SHA256	~10,000x	4.5 MH/s	+13 bits
MetaMask 10k PBKDF2-SHA256	~100,000x	110 KH/s	+17 bits
Bitcoin Core ~25k SHA-512+AES	~250,000x	100 KH/s	+18 bits
Ethereum Scrypt N=262144	~60 million x	900 H/s	+26 bits
Argon2id 64 MB (best practice)	~500 million x	~100 H/s	+29 bits

"Equivalent bits" is how much extra password entropy the KDF effectively adds by slowing the attacker down. An Ethereum keystore password with 60 bits of real entropy is, against GPU attackers, as safe as a raw 86-bit SHA password. That is why Scrypt-based wallets can get away with shorter passwords than Electrum-based ones.

Diceware — word-count recommendations

Diceware generates a passphrase by rolling physical dice to pick words from a 7,776-word list. Each word adds log₂(7776) ≈ 12.92 bits of entropy. Memorable, typeable, and genuinely random if you use actual dice.

Words	Entropy	Use case
5	64.6 bits	Low-value accounts with slow KDF; NOT for Bitcoin.
6	77.5 bits	Electrum / MetaMask minimum. Safe against recovery services.
7	90.4 bits	Bitcoin Core wallet.dat recommended. BIP39 passphrase minimum.
8	103.3 bits	High-value cold storage. Nation-state resistant on any modern KDF.
9	116.3 bits	Paranoid cold storage. Generational holdings.
10	129.2 bits	Beyond the reach of any foreseeable classical attacker.

Random passwords — character-count recommendations

Length	[a–z A–Z 0–9] (62)	+ symbols (95)
8	47.6 bits (too weak)	52.6 bits (too weak)
10	59.5 bits	65.7 bits
12	71.5 bits	78.9 bits
14	83.4 bits (good)	92.0 bits (good)
16	95.3 bits (strong)	105.1 bits (strong)
20	119.1 bits (paranoid)	131.4 bits (paranoid)

The BIP39 passphrase — special case

The optional 25th-word passphrase on a BIP39 seed is the single most abused feature in crypto. It is treated as "extra security" by users who then choose weak values, unaware of three specific risks:

Cheap KDF. BIP39 passphrase is fed into PBKDF2-HMAC-SHA512 at only 2048 iterations. This is roughly 1000x cheaper than Bitcoin Core's KDF. A 3090 tests millions of candidates per second.
No wrong-password error. Every passphrase produces a valid wallet at different addresses. You cannot tell you entered it wrong; you just see empty addresses.
Partial-seed leaks become fatal. If your 24 words are compromised (stolen photo, bad shamir split), a weak 25th word falls in under a day to a GPU attacker.

Minimum safe BIP39 passphrase: 7 Diceware words or 16 random characters. Anything shorter is security theatre.

How patterned passwords fail

Attackers do not iterate random strings; they iterate patterns drawn from billions of leaked-password corpora and targeted rule sets. A password's real entropy is measured against the attacker's candidate ordering, not the theoretical alphabet. Common patterns and their real entropy:

Password123! — tried in the first 10,000 candidates. ~13 bits real.
Bitcoin2024! — tried in the first million. ~20 bits real.
MyDogSparky78 — known name + dog word + year. Under 30 bits once the attacker has your social media.
Tr0ub4dor&3 — the infamous xkcd example. ~28 bits once common l33t-substitution rules are applied.
correct horse battery staple — four random common words. ~44 bits. Marginal.

The rule of thumb: any password a human would find "memorable because it makes sense" has dramatically less entropy than its character count suggests. A password that looks like random line noise has the entropy its length implies.

How recovery services exploit low entropy

Every commercial recovery service (including ours) wins its finds by attacking the low-entropy patterns first. When you submit hints like "it had my dog's name and a year", the service can usually collapse the candidate space from 10^20 to around 10^7 — seven orders of magnitude — and crack in hours instead of never. This is simultaneously the reason recovery is possible at all and the warning that your password is probably not as strong as you think.

Flip side: if you set your wallet password from /dev/urandom or a reputable password manager at 14+ characters, and you do not remember it, a recovery service cannot help you either. Your protection cuts both ways.

Practical recommendations

For a hot wallet you access weekly: 6 Diceware words or 14 random characters. Store in a reputable password manager; do not trust your memory for the exact spelling.
For a Bitcoin Core / Electrum cold wallet: 7 Diceware words or 16 random characters. Written twice on paper in two geographic locations.
For a BIP39 25th-word passphrase: 7 Diceware words minimum. Never a short word; the KDF is too cheap.
For a hardware-wallet PIN: whatever the device supports, usually 4–8 digits. The hardware rate-limits attacks so entropy matters less; the security comes from the enclave, not the PIN.
Never rely on a password alone for generational wealth. Always have the seed phrase backed up separately; the password only protects the local file, not the coins.

What to do right now

If you just created a wallet: run your password through zxcvbn's online demo or the CLI tool. If its estimated crack time under "online fast" is under a year, your password is weak; regenerate it from a password manager or Diceware.

If you already lost access to a wallet with a weak password, that is actually good news — professional GPU farms can probably recover it. Submit via our recover page; we pair candidate lists with hints you provide and charge only on success.

Related reading: our BIP39 seed recovery guide covers the math of missing-word attacks, and the home GPU rig guide shows real measured hashcat rates against all these KDFs on consumer hardware.

Last updated 2026-04-21. Hashcat performance numbers verified on RTX 3090 with driver 550.120 and hashcat 6.2.6; KDF constants from the respective wallet source repositories as of Q1 2026.

How Strong Does Your Crypto Password Really Need to Be?