Passphrases are powerful — but only when done right. A weak passphrase can be easier to crack than a mediocre password. Here are five rules that separate genuinely strong passphrases from ones that just feel secure.
Rule 1: the words must be truly random
This is the most important rule. "I love my golden retriever" is not a passphrase — it's a sentence. Meaningful phrases, even long ones, are dramatically weaker than random word combinations because attackers model natural language patterns. Use a generator or physical dice. Do not choose words yourself.
Rule 2: use at least four words, five is better
Three random words gives ~39 bits of entropy from a 7,776-word list — marginal. Four words gives ~52 bits — acceptable. Five gives ~65 bits — strong. Six gives ~78 bits — excellent for a master password. Never go below four.
Rule 3: don't modify the words to add "complexity"
Adding ! at the end, capitalising words, or substituting letters with numbers does very little for a passphrase. It adds minimal entropy while making the passphrase harder to type and remember. The strength of a passphrase comes from word count and randomness, not character substitution.
Rule 4: the separator matters less than you think
Hyphens, spaces, dots — the choice of separator barely affects security. What matters is consistency so you can type the passphrase reliably. Pick one and stick to it. A space is fine. A hyphen is fine. Don't stress about it.
Rule 5: never reuse a passphrase
Passphrases are typically used for things you need to memorise — your manager master password, computer login. That means you'll use them repeatedly. Never use the same passphrase for two different purposes. If one is ever compromised (keylogger, shoulder surfing), the other stays safe.
✅ The benchmark: A five-word random passphrase from our generator scores 4/4 on our strength checker and resists offline attacks for centuries. Generate one now and start practicing it today.