Glossary · Definition
Passphrase vs password
Passphrases (4-7 random words) optimize for memorability. Random-character passwords optimize for entropy density. For master passwords or anything you must memorize: passphrase. For everything else: random characters in a password manager.
Definition
Passphrases (4-7 random words) optimize for memorability. Random-character passwords optimize for entropy density. For master passwords or anything you must memorize: passphrase. For everything else: random characters in a password manager.
What it means
The trade-off is bits-per-keystroke vs memorability. A truly random 20-character password has 130+ bits but is impossible to memorize. A 7-word diceware passphrase has 91 bits and is memorable after a few uses. Diceware: roll 5 dice for each word, look up word in standard 7,776-word list. <strong>Famous example</strong>: XKCD’s “correct horse battery staple” (4 words, 44 bits). Modern recommendation: 6-7 words for 78-91 bits. <strong>Important constraint</strong>: words must be TRULY RANDOM (rolled dice or generated by a CSPRNG). Picking memorable words yourself reduces entropy dramatically because human picks aren’t uniform.
Advertisement
Why it matters
The Edward Snowden masterclass moment was him demonstrating diceware to journalists in 2014. Master passwords for password managers MUST be memorable; passphrases solve that. Bank account, email, password-manager master, and other rarely-typed but memorable accounts benefit from passphrases. Daily-use accounts in a password manager benefit from random characters (no need to memorize them; entropy density matters more for storage efficiency).
Example
Random-character password: <code>qX8#mZ$pK4@nB7&</code> — 16 chars, 105 bits, unmemorizable. Passphrase: <code>correct horse battery staple</code> — 4 words, 44 bits, memorable but weak. Modern: <code>airplane bookshelf cinnamon dolphin elevator forest</code> — 6 words, 78 bits, memorable AND strong.
Related free tools
Frequently asked questions
Can I add my own twist to make it memorable?
Adding capitalization, numbers, or symbols to a passphrase is fine but mostly cosmetic — entropy comes from word count. Don’t reduce word count to compensate.
Are passphrases vulnerable to dictionary attacks?
Only if attacker knows you used diceware. Even knowing that, 7,776^N attempts for N words is computationally infeasible at N=6+. Passphrases are not the same as dictionary words — they’re random from a wordlist.
What about EFF’s long wordlist?
EFF maintains a 7,776-word list with longer, easier-to-spell, and less-confusable words. Recommended over the original Reinhold list for English passphrases.