Passphrases vs Passwords: Which Is Actually More Secure?
For years, the advice was: use a complex password with uppercase letters, numbers and symbols. That guidance has quietly shifted. Passphrases — sequences of random words — are now recommended by security researchers and government agencies alike. Here is the case for each and when to use which.
What is a passphrase?
A passphrase is a series of random words used as a credential — for example, copper-falcon-river-42 or umbrella.toast.bridge.seven. Unlike traditional passwords, the words are chosen at random (not by you) from a large word list. The randomness is the critical part. A passphrase made from words you chose yourself — your favourite places, your children's names — is not a passphrase in the security sense; it is just a long, weak password.
The concept was popularised by security researcher Diceware in the 1990s and has been endorsed more recently by NIST (the US National Institute of Standards and Technology) in its Special Publication 800-63B guidelines.
The entropy argument explained simply
Security researchers measure password strength in bits of entropy — a number that represents how many guesses an attacker would need to try before statistically finding your credential. Higher entropy means more guesses required, which means more time needed, which means better security.
Here is how passphrases compare to traditional passwords:
| Credential type | Example | Approximate entropy |
|---|---|---|
| 8-char complex password | P@ssw0rd! | ~18 bits (dictionary word — effectively 0) |
| 8-char random password | Kx#7mP!q | ~52 bits |
| 4-word passphrase (2,000 word list) | copper-falcon-river-42 | ~44 bits |
| 4-word passphrase (7,776 word list) | chair-marble-thunder-bright | ~51 bits |
| 16-char random password | Kx#7mP!qL2nV@wRj | ~105 bits |
| 5-word passphrase (7,776 word list) | chair-marble-thunder-bright-oak | ~64 bits |
The key insight: a 4-word passphrase from a large word list is roughly as strong as a good 8-character random password. A 5-word passphrase beats it. And passphrases are vastly easier to remember.
Where passphrases have the advantage
Passphrases win in situations where you need to actually remember the credential. The most important use case is your password manager's master password. You cannot store that one inside the manager itself, so you need to be able to recall it. A 5-word random passphrase like marble.thunder.falcon.kettle.27 is both secure and something a human brain can retain.
They are also better for credentials you type regularly on devices where autofill doesn't work — lock screen PINs for some systems, server login credentials, encryption passphrases for encrypted drives. Four or five random words are far easier to type accurately under pressure than a string of random characters.
Passphrases are also more resistant to shoulder surfing — someone watching you type. Random characters need to be entered carefully; words can be typed with more natural rhythm and confidence.
Where random passwords have the advantage
For any account you store in a password manager (which should be most of them), a 16-20 character random password beats a passphrase on pure entropy. The strength advantage compounds with length, and since you do not need to remember the credential, there is no memorability trade-off to make.
Random passwords also sidestep dictionary attacks entirely. Some attackers maintain wordlists specifically designed to crack passphrases — lists of common English words combined in ways that match passphrase patterns. A truly random string of characters cannot appear in any wordlist.
What NIST actually says
NIST's 2017 and 2024 updates to its digital identity guidelines made significant changes to conventional password advice. The key recommendations relevant here: prioritise length over complexity, stop forcing users to include specific character types, and stop requiring regular password changes unless there is evidence of compromise. The guidance also explicitly endorses passphrases as a valid and often preferable approach, particularly for credentials that need to be memorised.
The old model — 8 characters minimum, one uppercase, one number, one symbol, change every 90 days — has been largely retired by serious security organisations. What replaced it is simpler: make it long, make it random and do not reuse it.
The verdict
Use random passwords (stored in a password manager) for most of your accounts. Use a passphrase for anything you genuinely need to memorise — your password manager master password, device encryption keys and anything else where you cannot rely on autofill. Both approaches are meaningfully more secure than most people's current passwords, and the right answer depends more on the situation than on which type is abstractly "better".
Generate a random passphrase
Our passphrase generator uses a 2,000-word list and your browser's cryptographic randomness to produce passphrases that are genuinely unpredictable. Choose your word count and separator.
Open Passphrase GeneratorThis article is for general informational purposes. Security requirements vary by context. For enterprise or high-security environments, consult a qualified security professional.