- A passphrase is a string of random words, usually four to six. Easy to remember, hard to crack.
- Random words from a list beat clever sentences. The randomness is the security, not the words themselves.
- Use a passphrase for things you must type from memory. Use a generated password for everything else.
- Your password manager master password is the single best place for a strong passphrase.
Both work. They protect different things in different ways. A passphrase is for what you must remember. A password is for what your manager remembers for you. Use both.
Here is the longer version, with the math, the trade offs, and how to make a passphrase that actually holds up.
What a passphrase is
A passphrase is a sequence of words. Not a sentence, not a quote, but a list of unrelated words pulled at random from a big list. A simple example:
marble salmon kettle drift weather
Five words, 32 characters including spaces, easy to type and reasonably easy to remember. Strong enough to stop brute force for centuries.
The technique was popularized by a method called Diceware, designed by Arnold Reinhold in 1995. The idea: take a list of 7,776 words, roll five dice to pick one, repeat until you have enough. Five words gives roughly 64 bits of entropy, six gives 77 bits, seven gives 90 bits.
Why random words beat clever sentences
The first instinct most people have is to make a passphrase memorable by tying it to something meaningful. A song lyric. A movie quote. A line from a favourite book.
This is exactly what attackers expect. Common phrases are in their dictionaries. Cracking tools have entire word lists pulled from popular novels, song lyrics, religious texts, and famous speeches. Once you constrain yourself to grammatical English, the search space collapses.
The strength of a passphrase comes entirely from how randomly the words were chosen. Five words drawn at random from a list of 7,776 give about 64 bits of entropy. Five words from a memorable English sentence might give 20.
It is too predictable. Use a generator that picks words by random number, not your imagination.
When to use a passphrase
Passphrases shine in a specific situation: when you must remember the credential and type it from scratch. The two most common cases are:
- Your password manager master password. If you forget this, you lose every other login. It needs to be strong, memorable, and unique.
- Disk encryption. When you encrypt your laptop with FileVault, BitLocker, or LUKS, the password unlocks the disk. There is no autofill here.
For everything else, you should be using your password manager and a generated random password. The manager will autofill, so memorability does not matter, and a 20 character random string is shorter to store than a memorable phrase.
How to actually generate a passphrase
Do not pick the words yourself. Use a tool that draws from a list with proper randomness. Some options:
- Most modern password managers have a built in passphrase generator.
- The original Diceware word list is free and well documented if you want to roll physical dice.
- Bitwarden, 1Password, and Proton Pass all expose passphrase generation in their apps.
Aim for at least five random words. Six is better. Seven if the account is genuinely critical, like a master password or a recovery key.
Length, in characters, still matters
Some sites have maximum length limits, often 64 or 128 characters. Most passphrases fit. A few sites still have absurd limits like 16 or 20 characters total. For those, you cannot use a long passphrase, so you fall back to a shorter generated random password. Your manager will handle this distinction without you thinking about it.
Adding numbers and symbols
Some systems insist on at least one number and one symbol. The cleanest way to satisfy this is to add them at the end:
marble salmon kettle drift weather 7!
The added entropy is small, but the requirement is met. Do not bother trying to disguise the words with substitutions like replacing o with 0. The cracking tools that do dictionary attacks already try every common substitution. You gain nothing and lose readability.
The Canadian angle
If you are a French speaker, you can build passphrases in French. The principle is identical: a list of common French words, picked at random. The entropy depends on the size of the word list, not the language.
Some bilingual users intentionally mix English and French words. This is fine, as long as the words are still chosen by random selection from a known list, not by personal preference. chevreuil hamac salmon érable thunderstorm is no weaker than five random English words, as long as they were truly randomly chosen.
For your password manager master password, write the passphrase down on paper and store it physically. Keep it for two weeks while you build the muscle memory, then destroy it.
The bottom line
A passphrase is a tool for the few credentials you must remember. A generated password is a tool for the hundred or so you should not. Both rely on the same underlying principle: enough randomness, in enough length, to make brute force pointless.
If you adopt only one new habit, make it your password manager master. Build a six word random passphrase, learn it, and let everything else become a 20 character generated string you never have to think about again. We walk through the full setup in our password manager guide.