Mon mot de passe est-il vraiment sécurisé ?

Published: 2026-05-23 7 min read Author: CalcSI team

Passwords are like shoes: at some point you have too many, they often pinch, and once in a while you lose one. But unlike shoes, passwords protect access to our digital existence — email, banking, taxes, photos. How secure a password actually is depends on surprisingly few factors. Read this article, be 10 minutes wiser.

Entropy: the math behind "secure"

Password strength is measured in bits of entropy. Simplified: log₂(N^L), where N is the size of the alphabet and L the length. An 8-character password using lowercase letters (N = 26) has about 38 bits of entropy — crackable in seconds to minutes today. A 16-character password from the same alphabet reaches 75 bits, pushing brute force into the range of years to decades.

Important: this math only applies to genuinely random passwords. A word like "Summer2024!" looks complex to a human but has little entropy, because attackers use wordlists and simple rule sets. Tools that only check length or character set dramatically overestimate the strength of such passwords.

Who attacks how?

Brute force

In a brute-force attack, the attacker tries all possible character combinations until one fits. Modern GPUs can run billions of MD5 hashes per second — weakly hashed passwords are lost. But against a well-hashed password (bcrypt, scrypt, Argon2), the attacker is slowed by orders of magnitude. Brute force becomes a patience game where password length pays off.

Dictionary and hybrid attacks

Instead of blindly trying all combinations, attackers use wordlists: lists of common passwords, leaked collections from earlier breaches, terms in national languages, names, birthdays. Hybrid attacks combine this with rules like "capitalize the first letter," "replace l with 1," "append a year." Most "creative" human passwords fall within hours.

Credential stuffing

Here the attacker doesn't need to crack your password — they already know it. Data breaches from other services provide millions of email/password pairs. Anyone reusing passwords across sites is immediately exposed. So: a separate, unique password for every important site.

Strategies for good passwords

What makes a password secure in practice?

Length beats complexity: a 20-character lowercase password is more secure than an 8-character word construct with special chars. Current NIST guidance dropped complexity requirements and favors a minimum of 12–15 characters.
Diceware passphrases: five to seven words randomly chosen from a standard wordlist (e.g. "correct horse battery staple trombone snake") easily reach 60–90 bits of entropy and are surprisingly easy to remember.
Randomly generated strings: for passwords you don't type but paste from a password manager, a 20+ character random string is optimal. It maximizes entropy per character and has no dictionary weakness.
Password managers: KeePass(XC), 1Password, Bitwarden, etc. generate and store unique passwords per site. The master passphrase is the only one you still memorize — and it should be really good.
Never reuse: for email, banking, primary cloud storage, and identity providers (Google, Apple), use a unique password plus its own 2FA. Reusing here invites a domino takeover.

Two-factor authentication

Even an 80-bit password doesn't help much if it leaks through phishing. That's where 2FA comes in: in addition to the password, the attacker needs a second factor — typically a short-lived code from an authenticator app (TOTP) or a hardware token (FIDO2/WebAuthn). Even if the password is leaked, the account stays locked without the second factor.

SMS-based 2FA is better than nothing, but vulnerable to SIM-swap attacks and should be avoided for valuable accounts. Authenticator apps like Aegis, 2FAS, or Authy are better; FIDO2 security keys (YubiKey, NitroKey) are the gold standard and reliably defeat even phishing.

Have I Been Pwned & co.

The "Have I Been Pwned" service collects publicly known data breaches and lets you check whether your email appears in any leak. The associated Pwned Passwords dataset contains over a billion leaked password hashes — before settling on a password, a quick check there can reveal whether it has already appeared somewhere.

Many password managers now automatically check whether your stored passwords appear in such lists. If you're using a hit, change it everywhere you've used it — promptly.

Frequently asked questions

How long should a password be?

For a randomly generated password from a 70+ character alphabet: 16+ characters is very robust against brute force. For Diceware passphrases: 6 or 7 words. The master passphrase of a password manager should have at least 80 bits of entropy — i.e. 6+ Diceware words or 14+ random characters from a large alphabet.

Should I change my password regularly?

Current NIST guidance says: no, not on a routine. Forced periodic changes lead users to choose small variations ("Summer2024!" becomes "Summer2025!") — security goes down, not up. Change a password when you suspect compromise or a service has suffered a breach.

Are passkeys the end of passwords?

Passkeys (FIDO2/WebAuthn) are a big step: no password is transmitted, the device holds the private key, the server only knows the public one. Phishing becomes structurally harder. Classical passwords will nevertheless be around for years — as a fallback, for legacy systems, and in environments without passkey support. Learn to live with both.

Disclaimer: This article is a general introduction and not individual security advice. For especially sensitive data (companies, critical infrastructure, high-risk profiles), consult a specialized IT security expert or follow the guidance of BSI, NIST, or ENISA.