A passphrase is a password made of multiple random words strung together โ like correct-horse-battery-staple. They've become increasingly popular because they're both easier to remember and often more secure than traditional character-based passwords.
In This Guide
What Is a Passphrase?
A passphrase is a sequence of random words used as a password. The concept was popularised by the XKCD comic "Password Strength" (2011) and formalised through Diceware โ a method where physical dice rolls are used to select words from a list, ensuring true randomness.
The key word is random. A passphrase like "sunny-mountain-river" is not strong because those words relate to each other โ a human might think of the same combination. A passphrase like "wagon-precise-atlas-eleven" is strong because the words were selected randomly from a large list.
Why Long Is More Secure Than Complex
Password security is measured in bits of entropy โ the number of possible passwords an attacker must try. Each bit of entropy doubles the search space. A 4-word passphrase from the 7,776-word EFF list has 4 ร log2(7776) โ 52 bits of entropy. A random 8-character password with uppercase, lowercase, digits and symbols has about 52 bits as well. So they're equivalent in security โ but the passphrase is far easier to remember.
A 6-word passphrase has ~77 bits โ stronger than a random 12-character password (~72 bits). This is why security experts increasingly recommend passphrases for anything you need to type or remember, particularly master passwords for password managers.
Passphrase vs Password: Head to Head
Memorability: Passphrases win clearly. "wagon-precise-atlas-eleven" is far easier to remember than "Xk9#mP2@qR5!". This means people are less likely to write them on sticky notes or reuse them.
Security per length: Roughly equivalent at 4 words vs 8 random characters. Passphrase wins as you add more words.
Typing ease: Passphrases are much easier to type on mobile or tablet. No fumbling with special characters.
Site compatibility: Some sites don't allow spaces or have short maximum password lengths. A random password generator may be more practical for these.
Brute-force resistance: Both are equally resistant if the entropy is equivalent. Passphrases are more resistant to dictionary attacks that target patterns in character-based passwords.
When to Use Each
Use a passphrase for: your password manager master password, full disk encryption (BitLocker, FileVault), sudo/admin account passwords, anything you need to remember and type regularly.
Use a random password for: anything stored in a password manager (since you don't need to remember it), accounts with length restrictions, cases where spaces aren't allowed.
Passphrase Rules That Actually Matter
First: the words must be random. Don't pick words that relate to you, your interests, or that you'd naturally think of. Use a proper generator like our passphrase generator which uses crypto.getRandomValues().
Second: use at least 4 words, preferably 5 or 6. Three words is too short for anything important.
Third: capitalising and adding a number helps satisfy site requirements without meaningfully reducing security if you apply them consistently (e.g., always capitalise first word, always append a number).
Passphrases Don't Replace 2FA
A strong passphrase protects you against password guessing โ but not against phishing, data breaches where the server is compromised, or a keylogger on your device. Two-factor authentication provides a layer of protection even when your password is somehow obtained. Use a strong passphrase and enable 2FA on every account that supports it.