Skip to content

Passphrase vs password, which should you use

By the Password Rangers teamUpdated 6 min read

Use random character passwords for everything your password manager fills in, and a passphrase for the few secrets you have to type or remember: the manager's master password, your device logins, your Wi-Fi. Random characters give you the most strength per character. Random words give you the most strength per unit of memory. Most people need both.

That's the short answer. The rest of this page shows the numbers behind it, where each option wins, and the specific ways people get each one wrong.

What each one actually is

A password is a string of individual characters picked at random, something like Vq2#mRt8!wLp9$dK. A passphrase is a short sequence of whole words picked at random, something like grape lantern hobby drum saddle mint. Same job, different building block: single characters from a pool of about 86, or whole words from a list of a thousand plus.

Never use either example. They're printed on a public web page, which puts them straight into cracking wordlists. Any password that has ever appeared online is dead on arrival.

The word "random" is doing all the work in both definitions. A passphrase only counts as one if the words come from a genuinely random draw against a real wordlist. The EFF publishes wordlists built for exactly this; the short list has 1,296 words, and each randomly drawn word adds about 10.3 bits of entropy. Words you pick yourself because they feel random don't qualify. People are terrible at faking randomness.

Strength per character vs strength per memory

Sixteen random characters give you about 103 bits of entropy, which no attacker on earth can brute force. Six random words give you about 62 bits, which is much less but still strong, and unlike the 16 character string, you'll actually have it memorized after typing it a handful of times.

Here's what those numbers mean in practice. Using the standard yardstick on this site, an offline attacker guessing 10 billion times per second and finding the answer halfway through the keyspace, 103 bits holds for about 14 trillion years. 62 bits holds for about 8 years. That 8 year figure only applies when the attacker has stolen a password database and can guess offline at full speed. Attacks against a live, rate-limited login run millions of times slower, so a six word passphrase stays comfortably safe for the accounts you sign into by hand. Our guide on how long a password should be walks through the full table.

16 random characters6 random words
Entropy103 bits62 bits
Offline crack timeAbout 14 trillion yearsAbout 8 years
MemorabilityNear zeroGood after a few uses
Typing effortHigh, painful on phonesLow, it's just words
Best useAnything a manager autofillsAnything you must remember

Both options clear the bar in NIST SP 800-63B, which recommends at least 15 characters for any account protected by a password alone. And both embarrass anything people invent themselves, since human-made passwords cluster around names, dates, and keyboard patterns that cracking tools try first. More on that in what makes a strong password.

Where each one wins

Random character passwords win everywhere software does the remembering: web accounts, apps, anything a password manager autofills. Passphrases win in the places autofill can't reach: the manager's own master password, your laptop login, your Wi-Fi network, and anything you have to read out loud or enter with a TV remote.

For managed accounts, the logic is simple. The manager stores and types the secret, so memorability costs you nothing and there's no reason to leave entropy on the table. Generate 16 to 20 characters per account and never look at them again.

Passphrases earn their keep where fingers and memory are involved. Your master password guards every other credential, and it can't live inside the manager it protects, so it has to live in your head. A laptop login gets typed several times a day, and six words flow faster than sixteen symbols. Wi-Fi is a natural fit too: WPA2 and WPA3 accept 8 to 63 characters, a word based key is easy to read out to a guest, and our Wi-Fi password generator covers that case specifically. The same goes for anything pecked into an on-screen keyboard with a game controller, where hunting for symbols is misery and words are quick.

How each one fails

Passwords fail through reuse. Nobody memorizes forty random strings, so people without a manager recycle one or two everywhere, and a single breached site opens all the rest. Passphrases fail through bad sourcing: quotes, lyrics, and personal facts feel random but sit near the top of every cracking wordlist.

The reuse problem is worth spelling out. Attackers take email and password pairs from one site's breach and replay them against hundreds of others, a technique called credential stuffing. A genuinely strong password that's reused is still a weak password, because its secrecy died in someone else's database. The fix isn't more creativity, it's a manager that makes uniqueness free.

The passphrase problem is subtler. "MayTheForceBeWithYou" is 20 characters long and looks impressive, but cracking tools carry phrase dictionaries full of movie lines, song lyrics, and famous sayings, so it falls almost instantly. Even "correct horse battery staple," the comic that popularized passphrases, is in every wordlist now. CISA's guidance asks for four to seven unrelated words, and "unrelated" is the load-bearing requirement. A sentence is related words in a predictable order. A random draw from a wordlist is the only method that reliably produces unrelated ones.

The verdict

Use both, split by job. A password manager generates and stores a long random password for every account. A passphrase of five to seven random words protects the manager itself, your devices, and your Wi-Fi. That's two or three passphrases to memorize in total, with software handling everything else.

Our free strong password generator builds the random character kind in your browser using the Web Crypto API, and the passphrase generator draws words from the EFF list the same way. Generation makes zero network requests in either tool, which you can confirm in your browser's DevTools. If you want word based passwords that also satisfy sites demanding digits and symbols, the memorable password generator is the friendlier middle ground.

Whichever side you land on for a given secret, the rule underneath is the same: let a machine pick it. Everything rests on the randomness, and that's the one part humans can't do by feel.