You've probably heard the advice: use a passphrase instead of a password. Four random words like correct-horse-battery-staple are supposedly stronger and easier to remember than a complex password. But is that actually true? Let's look at the math.
What is a passphrase?
A passphrase is a sequence of random words used as a password. The key word is random — words chosen randomly from a large list (like the EFF Diceware list of 7,776 words), not a phrase that means something to you or comes from a song or book.
A meaningful phrase like ilovemydog is not a passphrase — it's a weak password. A passphrase sounds like nonsense: marble-clam-velvet-piston.
The entropy math
Each word chosen from a 7,776-word list contributes about 12.9 bits of entropy (log₂(7776)). Four words gives roughly 51.7 bits. Six words gives about 77.5 bits.
A truly random 10-character password using all character types (94 possible characters) gives about 65.6 bits. So a five-word passphrase is roughly equivalent to a random 10-character password, and six words beats a random 12-character password.
Head-to-head comparison
| Factor | Random Password | Passphrase (4–6 words) |
|---|---|---|
| Raw entropy | Higher per character | Lower per character, but length compensates |
| Memorability | Very hard to memorize | Easier — can create mental images |
| Typing speed | Slow, error-prone | Faster once learned |
| Offline crack resistance | Excellent (random 16+ chars) | Good (5+ words from large wordlist) |
| Dictionary attack risk | None if truly random | Low if words are random, high if meaningful |
| Best use case | Manager-stored account passwords | Master password, computer login |
The critical caveat: truly random
The security of a passphrase depends entirely on the words being chosen randomly. Human-selected "random" words are far from random — we're drawn to words we know and use, often related words, and words that start with common letters. This dramatically reduces the actual entropy.
The right way to generate a passphrase is to use a tool — like our passphrase generator — that uses a cryptographically secure random source. Or use the EFF's Diceware method with physical dice.
✅ Best of both worlds: Use a password manager with random 18+ character passwords for all your accounts. Use a 6-word random passphrase as your master password — it's strong enough and actually memorable.
When passphrases win
Passphrases are the clear winner in one scenario: passwords you must type and remember without a manager. Your computer login, your password manager master password, your work VPN. For these, a five or six-word passphrase gives you strong security you can actually memorize.
For everything else — email, banking, social media, any site account — a randomly generated password stored in a manager will be longer, higher entropy, and just as secure.