"Use a passphrase, not a password" has become common security advice, but it's often repeated without explaining why — or when it stops being true. This article looks at the actual mechanics of passphrase strength, compares it directly to traditional complex passwords, and covers the cases where a passphrase is the wrong choice.
In short
A randomly-generated passphrase of 4+ words beats a substituted-word "complex" password because its strength comes from genuine randomness, not a predictable pattern cracking tools already know to test. Use the Password Generator in passphrase mode to generate one — self-composed phrases (quotes, sayings) don't count.
What makes something a passphrase rather than a password
A passphrase is a sequence of multiple, unrelated words — for example correct-horse-battery-staple or harbor7unusual-pinecone — used in place of a single word with substituted characters, like P@ssw0rd!. The distinction isn't strict length; it's structure. A passphrase derives its strength from combining multiple independent, high-entropy elements (words chosen from a large pool), while a traditional "complex" password derives its strength from character substitution applied to a much smaller, more predictable base (a single dictionary word or name).
This builds on password entropy
The strength comparison below assumes familiarity with how password entropy is calculated. See Understanding Password Entropy for the underlying math — this article focuses on the practical comparison.
Why passphrases tend to win
A four-word passphrase drawn randomly from a 7,776-word list (the size of the well-known Diceware word list) has roughly 51 bits of entropy — meaningfully stronger than most traditional 8-character complex passwords, which typically fall in the 28–40 bit range once predictable substitution patterns are accounted for, despite satisfying every composition rule a legacy policy might require.
The practical reason passphrases outperform substituted-word passwords isn't randomness in the abstract — a sufficiently random 10-character string beats a passphrase too. It's that passphrases are randomness humans can actually generate and remember reliably, while "complex" passwords built from substitution patterns (@ for a, 0 for o, ! at the end) are guessed effectively by modern cracking tools, which are specifically built to test these substitution patterns first.
| Property | Passphrase | Substituted-word password |
|---|---|---|
| Example | harbor-unusual-pinecone-thirty | P@ssw0rd2024! |
| Typical entropy | ~50–65 bits (4–5 random words) | ~28–40 bits (substitution patterns are predictable) |
| Memorability | High — words are easier to recall than substitution rules | Low — substitution rules are easy to forget or apply inconsistently |
| Resistance to dictionary + rule-based cracking tools | High, if words are chosen randomly rather than as a common phrase | Low — cracking tools are built specifically around common substitution patterns |
| Typing/entry friction | Higher — more total characters to type | Lower — typically shorter |
When a passphrase is the wrong tool
Passphrases aren't automatically superior in every case:
- Random words chosen by a computer, not a person, still need enough words. A 2-word or 3-word passphrase, even from a large word list, can fall below acceptable entropy — see the entropy article for the specific math. Four or more randomly selected words is the practical floor for a password-manager-generated passphrase used as a master password.
- A "memorable phrase" is not the same as a random passphrase. Using a quote, song lyric, or common saying (
itsrainingcatsanddogs) defeats the purpose — these are exactly the kind of predictable, dictionary-adjacent strings breach-screening tools and cracking dictionaries are built to catch. The words must be selected at random from a large pool, not composed as a meaningful sentence. - Highly length-constrained fields. Some legacy systems still cap password length below what a strong passphrase needs (see NIST Password Guidelines on the 64-character minimum NIST recommends verifiers support). Where a system enforces a short maximum, a shorter random string generated by a password manager may be the more practical option.
- System-generated and service-account credentials. For machine-to-machine authentication, a fully random string generated and stored in a secrets manager is simpler to implement correctly than a word-based passphrase, and nothing about memorability matters since no human types it.
Common mistakes
- Choosing words yourself instead of generating them randomly. Even four "random-sounding" words you pick consciously tend to reflect personal associations an attacker with basic knowledge of you could guess faster than pure randomness would suggest. Use a generator — the classic method is physically rolling dice against the Diceware word list, or the Password Generator tool for the same effect digitally.
- Reusing the same passphrase pattern with minor variants across accounts.
harbor-unusual-pinecone-workandharbor-unusual-pinecone-personalare functionally one passphrase, not two — a breach of one exposes the pattern for the other. - Assuming length alone is sufficient regardless of source. A 40-character phrase copied from a book or movie has far less real entropy than a 25-character string of 4 truly random words, because dictionary-and-corpus-based cracking tools specifically test known text.
- Forgetting mobile typing friction when choosing where to require passphrases. A passphrase is a poor fit for a frequently-entered PIN-replacement on a touchscreen device; reserve passphrases for master passwords and infrequently-typed high-value credentials, and lean on a password manager's autofill everywhere else.
Practical recommendation
For anything a person needs to memorize — a device unlock code, a password manager master password, or an account not protected by a password manager — a passphrase of at least four randomly selected words, or the equivalent random length if not using discrete words, is the stronger and more sustainable choice. For everything else, a password manager generating and storing fully random strings removes the memorability trade-off entirely; see the Password Manager Guide.
FAQ
How many words does a passphrase need to be secure? Four words randomly selected from a list of at least a few thousand candidates is a reasonable practical floor for a master password. Fewer words, a smaller word list, or non-random word selection (choosing words yourself rather than generating them) all reduce effective entropy — see Understanding Password Entropy.
Can I add numbers or symbols to a passphrase? It doesn't hurt, but it isn't where the strength comes from, and it adds memorability friction. If a system still enforces composition rules, adding a number or symbol between words satisfies the rule without undermining the passphrase's core strength.
Is a passphrase harder to type than a password? Generally yes, since it's longer. This is a real usability trade-off, not just a security one — for very frequently entered credentials, a password manager with autofill removes the typing burden entirely, which is part of why pairing passphrases with password manager adoption matters.
Related reading
- NIST Password Guidelines
- Understanding Password Entropy
- Password Manager Guide
- Password Generator — generate a random passphrase in seconds
- Download: Password Security Checklist