Passphrases beat passwords on every axis except habit — and the math is not close
published
TL;DR
A four-word passphrase drawn from the EFF long word list has about 51 bits of entropy. A 12-character password drawn from a mixed alphabet (uppercase, lowercase, digit, symbol) has about 78 bits — but the average human remembers neither. Where memorability matters (the master password to a vault, the login you cannot autofill), passphrases win because longer ones are easy. NIST has agreed since 2017. Most password tools have not caught up.
The problem with “strong” passwords
The mental model many people still carry — Tr0ub4dor&3, eight characters, one of each character class, change every 90 days — comes from a 2003 NIST guideline (NIST SP 800-63 Appendix A). The author of that appendix has publicly said he regrets it. The current guidance (NIST SP 800-63B, unchanged through revision 3 and still in force) reads, paraphrased:
- Length is the primary security parameter, not complexity.
- Verifiers should permit at least 64 characters.
- Verifiers should not impose composition rules (require an uppercase, etc.).
- Verifiers should not require periodic rotation absent evidence of compromise.
The reason: humans cope with complexity by substituting symbols predictably (a → @, s → $, o → 0), which attackers know and bake into their wordlists. Length is harder to game.
The entropy math
Entropy of a randomly chosen password is log2(alphabet_size^length), which simplifies to length * log2(alphabet_size).
| Scheme | Alphabet | Length | Entropy |
|---|---|---|---|
| All lowercase | 26 | 8 | ~38 bits |
| All lowercase | 26 | 12 | ~56 bits |
| Mixed case | 52 | 8 | ~46 bits |
| Mixed case + digits | 62 | 12 | ~71 bits |
| Mixed case + digits + 20 symbols | ~82 | 12 | ~76 bits |
| Mixed case + digits + 20 symbols | ~82 | 16 | ~102 bits |
| EFF long list passphrase | 7,776 words | 4 words | ~51 bits |
| EFF long list passphrase | 7,776 words | 5 words | ~64 bits |
| EFF long list passphrase | 7,776 words | 6 words | ~77 bits |
| EFF long list passphrase | 7,776 words | 7 words | ~90 bits |
The numbers assume uniformly random selection. A passphrase you make up by combining words from your favorite book is not 64 bits — it is much less, because attackers can model your distribution. The EFF and Diceware get to claim the full word count only because each word is drawn by genuine dice rolls (or, in software, a CSPRNG). The EFF dice page is the canonical reference.
The crossover is around 5 words ≈ 12 mixed-symbol characters. A 7-word passphrase outranks even a 16-character random symbol password.
Why “correct horse battery staple” still wins on memorability
Randall Munroe’s xkcd 936 (2011) made the case visually: four common words have far more entropy than a mangled English word with letter substitutions, and the four words are easier to remember. The argument is empirical — human memory is built for episodic narrative, not for character-by-character recall of kT9$xR2!pQzM.
The site’s password generator ships two modes precisely for this:
- Random mode for things you will paste from a password manager once and forget — API keys, server passwords, anything machine-typed.
- Memorable mode for things you must type by hand — your password manager’s master password, full-disk encryption, the SSH passphrase you enter when your terminal asks.
The memorable mode draws words from the EFF list with a CSPRNG, joins them with a separator, and shows the entropy in bits so you can see the cost of dropping from 6 words to 4.
Where passphrases lose
There are legitimate cases where they are not the right tool:
- Sites that cap password length below ~30 characters. Common, frustrating, and the right response is to use a random password manager-stored string within the cap. Six EFF words plus separators can exceed 40 characters.
- Sites that ban spaces or specific separators. Pick a different separator or drop spaces.
- Sites with strict composition rules. Most passphrase generators add a digit and a symbol on request specifically for this; check yours does.
- Speed of typing on mobile. Six common words on a phone keyboard is slower than 12 mixed characters. If the device is the user’s daily phone and the password is typed often, the friction is real.
When length stops mattering
Past about 90 bits of entropy (Wikipedia: password strength summarizes the cost models), brute-force becomes infeasible against any realistic adversary at any realistic budget. Adding more entropy beyond that is theoretical — the attacker will not get past the hash function, the rate limit, or the second factor before they get past the password.
This is why a 6-word EFF passphrase (~77 bits) is enough for most consumer accounts, and 7-word (~90 bits) is enough for nearly everything. Going to 10 words is fine if you enjoy it; it is not buying you anything practical.
Hashing matters more than the password
If a service stores passwords with a slow hash (bcrypt, scrypt, Argon2 at sane work factors), even a moderately-strong password resists offline cracking for a long time. If a service stores passwords with MD5 or unsalted SHA-1, even a strong password falls in hours after a dump.
You cannot inspect what the service uses. The defense is: unique password per site, password manager to store them, and a strong memorable passphrase for the manager itself. That last piece is the only password the user actually has to remember — which is where memorable-sentence generation earns its keep.
Two-factor is not optional in 2026
Even a 90-bit passphrase does nothing against phishing, credential stuffing, or session hijacking. Use a second factor wherever offered — preferably a hardware security key (WebAuthn / FIDO2) or, failing that, a TOTP app. SMS is the weakest second factor and should be replaced where possible. The NIST guidance on authenticators ranks the options.
A strong password is the floor. 2FA is the wall.
Caveats
- Generators are only as good as their RNG. A “memorable password generator” that uses
Math.random()is not generating high-entropy passwords. Look forcrypto.getRandomValues(browser) orsecrets.token_bytes(Python) under the hood. The password generator on this site usescrypto.getRandomValuesfor both modes. - Word lists must be public. The EFF list is published precisely so attackers can model it — and the math above already accounts for that. A “secret” word list adds nothing to security and breaks the entropy claim if it leaks.
- You will paste the passphrase into things that log clipboard contents. Some OS-level paste managers log forever. Use the password manager’s autofill where possible; clear the clipboard otherwise.
References
- NIST SP 800-63B — Digital Identity Guidelines, the authoritative US guidance on password verifiers
- EFF Dice-Generated Passphrases — the long word list and instructions
- xkcd 936: Password Strength — the comic that popularized the idea
- Password strength — Wikipedia entropy and attack cost overview
- Diceware — origin of the dice-roll passphrase method