You’ve probably heard that passphrases are better than passwords — but is that always true? Here’s a clear, practical comparison so you can choose the right option for each account.

What is a password?

A password is a short string of characters — typically between 8 and 16 — used to secure an account or device. Strong passwords combine:

• Uppercase and lowercase letters
• Numbers
• Special symbols

Example (good): D7$eT9!qQ5%r
Example (bad/predictable): Summer2025! (season + year + symbol)

The problem? Many people still create short, predictable passwords or reuse the same one across sites, which makes automated attacks much easier.

What is a passphrase?

A passphrase is a longer sequence of words or random text, often 20–30 characters or more. It’s designed to be easier to remember but harder to crack.

Example: Silver-Pizza-Monkey-Runs-Fast!

Because passphrases are longer, they’re exponentially harder for automated tools to guess — especially if you add digits/symbols and avoid meaningful phrases.

Which is more secure?

Passphrases are usually more secure because length increases search space dramatically. Guidance from standards bodies prioritises length and avoiding predictable patterns over arbitrary complexity rules.

• NIST SP 800‑63B discourages frequent changes and overly strict composition rules; it emphasises allowing long memorized secrets and screening against known‑compromised strings.
• UK NCSC recommends three random words as a simple way to create long, memorable, high‑entropy passphrases.

A short, complex password can still be strong, but a random 4–6 word passphrase (optionally with digits/symbols) is harder to guess and easier to remember.

Length vs. complexity

Adding characters typically boosts strength more than swapping letters for symbols. Password‑strength estimators like zxcvbn model attacker heuristics and penalise predictable patterns (e.g., P@ssw0rd!), rewarding true randomness.

How strong is a 3, 4, 5 or 6‑word passphrase?

Approximate entropy with a random‑word method is bits ≈ words × log2(wordlist size). Using a ~7,776‑word list (EFF Diceware), that’s ~12.9 bits per word:

• 3 words ≈ 39 bits (borderline against offline cracking)
• 4 words ≈ 52 bits (solid for many accounts)
• 5 words ≈ 65 bits (strong)
• 6 words ≈ 78 bits (very strong)

Actual strength depends on wordlist size and true randomness. Adding digits/symbols/separators can increase search space further.

Online vs. offline attacks

Online logins are rate‑limited and often locked after a few attempts, so moderate entropy can be sufficient. Offline attacks (stolen hash database) can test billions of guesses per second; favour 5–6 random words (or add digits/symbols) for high‑value accounts and master passwords.

When to use each (password, passphrase, passkey)

• Password: Use when a site requires a traditional password. Make it unique and 12–16+ characters. Store it in your manager.
• Passphrase: Prefer for high‑value accounts (email, banking, cloud storage) and your password‑manager master secret. Aim for 4–6 random words.
• Passkey: If offered, use passkeys (FIDO2/WebAuthn). They replace passwords with phishing‑resistant cryptography and remove the need to remember anything.

How to create a strong password or passphrase

• Make it unique for every account (no reuse, no patterns).
• Avoid personal clues (birthdays, pets, band names, teams, quotes).
• Prefer randomness over cleverness. Don’t use lyrics or famous lines.
• Length targets: 12+ for passwords; 20–30+ (4–6 random words) for passphrases.
• 2FA: Enable an authenticator app or security key wherever possible.
• Use our generator: Create long random passwords, or use the passphrase tab for 4–6 random words with optional separators, case, digits and symbols — and save straight to your manager.

Common site limitations (and workarounds)

• No spaces allowed? Use hyphens/underscores as separators: river-harp-thunder-canvas
• Length cap (e.g., 16–20 chars)? Use a random password at max length; rely on 2FA as well.
• Weird composition rules? Satisfy them, then add extra length if allowed.
• No passphrases permitted? Generate a long random password from your manager and store it.

The bottom line

Both passwords and passphrases can be secure — but in 2025, the safest bet is a long, random passphrase combined with two‑factor authentication. The more characters you have, the harder it is to break in.

FAQs

Are passphrases always better?

Usually, if they are random and long. A common‑phrase passphrase (e.g., quotes or lyrics) is weaker than a long random password.

Can I use a passphrase everywhere?

Some sites still restrict length or symbols. When a passphrase isn’t allowed, use a long random password from a manager.

What about 2FA?

Always enable it. Prefer authenticator apps or security keys (FIDO2/WebAuthn) over SMS where supported. If SMS is the only option, it’s still better than no 2FA.

Is “three random words” enough?

Often yes for everyday accounts, especially with case/spacing/digits. For high‑value accounts, consider 4–6 random words or add digits/symbols.

How do I know if my password is weak?

Avoid anything on breach lists and predictable patterns. Strength estimators like zxcvbn (used by many apps) penalise common structures, but they’re heuristics, not guarantees.

Sources & further reading

• NIST SP 800‑63B: Digital Identity Guidelines — https://pages.nist.gov/800-63-3/sp800-63b.html
• UK NCSC: Three random words / password guidance — https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0 and https://www.ncsc.gov.uk/collection/passwords
• EFF: Diceware passphrase method — https://www.eff.org/dice
• Dropbox: zxcvbn password strength estimator — https://github.com/dropbox/zxcvbn
• CISA: Use strong passwords and MFA — https://www.cisa.gov/secure-our-world/use-strong-passwords-and-password-manager

Image credit: AI‑generated illustration created for this post.

Found this helpful? ☕️ Buy me a coffee