Passphrase Best Practices
Passphrases offer the best balance between security and memorability. Instead of short, complex passwords, they use a sequence of random words that are easy to recall yet extremely hard to guess.
What is a Passphrase?
A passphrase is a password made of multiple random words, for example:
planet-forest-window-lanterncoffee river sunset mountain
Each additional random word adds bits of entropy, which is a measure of unpredictability, making the overall phrase resistant to brute-force attacks.
Why Choose a Passphrase?
- High entropy. Each random word typically adds about 11 to 13 bits of strength.
- Easier recall. Familiar words are simpler to remember than complex character strings.
- Better usability. People are less likely to write them down or reuse them across accounts.
When generated with a secure wordlist, a five to six word passphrase can exceed the security of a sixteen character random password.
When to Use Passphrases
Choose passphrases whenever you need both strong security and memorability.
Ideal Scenarios
| Situation | Why it’s ideal |
|---|---|
| Master passwords, such as for a password manager | You will type it manually and need to remember it reliably. |
| Encryption keys for files or drives | Long, random, and recallable makes recovery easier without weakening security. |
| SSH, VPN, or GPG keys | Reduces the chance of forgetting while maintaining strong protection. |
| Wi-Fi networks | Easier for family or guests to enter securely without resorting to weak phrases. |
| Personal logins that you memorize, such as email or device admin | Simpler to recall and harder to guess or phish. |
Avoid for
| Situation | Use instead |
|---|---|
| Shared accounts | A strong, random password stored in a password manager. |
| Short-lived or temporary accounts | A simpler unique password is acceptable. |
| Auto-filled accounts | A random password managed by your password manager. |
How Many Words Should You Use?
| Words | Approximate strength | Recommended use |
|---|---|---|
| 3 words | About 39 bits | Only for low-risk uses |
| 4 words | About 52 bits | Medium security |
| 5 words | About 65 bits | Strong |
| 6+ words | 78+ bits | Excellent, suitable for master or encryption keys |
Entropy assumes an EFF Diceware style list of about seven thousand seven hundred and seventy six words.
Best Practices
- Use a secure generator. Do not invent phrases yourself. The Passphrase Helper uses browser-only randomness and local wordlists for privacy.
- Avoid meaningful phrases. Phrases such as “ilovemycat” or “sunsetinthewest” are easy to guess. Randomness is what provides security.
- Add separators wisely. Hyphens, spaces, or periods improve readability without reducing strength.
- Never reuse passphrases. Treat each one like a unique key.
- Store securely if needed. Use a password manager or encrypted notes for backups.
- Review critical passphrases periodically. This is especially important for encryption or administrator use.
Print-Friendly Notes
- Keep any printed copy in a secure place that is separate from your computer.
- Do not write your real passphrases on printed sheets.
- Use printed material for training or security awareness only.