Passlock

Password vs Passphrase: Which Should You Use?

Password Basics2 min read

A password is any secret string you use to log in. A passphrase is a specific kind of password made of several words — usually four to six — chosen at random, like "cobalt-harbor-thimble-glacier." The distinction matters because passphrases solve the central tension in password security: the strongest passwords are the hardest to remember, and the most memorable ones are the easiest to crack. Passphrases give you both length and memorability at once.

Why passphrases are strong

Strength comes from unpredictability, measured as entropy. A passphrase built from a list of, say, 2,000 possible words gets about 11 bits of entropy per word. Six such words give you roughly 66 bits — comparable to a long random character string, and far beyond what brute force can chew through. The catch is in one word: random. The words must be chosen by something unpredictable, not picked by you. People asked to "think of four random words" tend to choose related, common, grammatically sensible ones — which attackers can model. A generator does not have that bias. Try ours at passphrase generator.

Why passphrases are easier to remember

Human memory is built for meaning and imagery, not for symbols. "lantern-otter-gravel-trumpet" can be turned into a vivid mental scene; "j7#Qm!2vP" cannot. That is why passphrases are ideal for the few passwords you genuinely must memorize — chiefly your master password and your device login.

When to use each

  • Use a passphrase for passwords you have to type from memory: your master password, your computer login, your phone unlock backup.
  • Use a long random password for everything else, because a password manager stores and fills it for you, so memorability does not matter. For those, maximize raw length and character variety with the secure password generator.

Common myths

"correct horse battery staple" means any four words are fine. Not quite — the famous example assumes the words are randomly selected from a large list. Four words you chose yourself may be far weaker.

"Passphrases are too long to type." For the one or two you type regularly, the small extra effort buys a lot of security, and muscle memory kicks in within days. For everything else, the manager types it for you.

"Adding numbers ruins the memorability." You can append a couple of random digits or a symbol to satisfy fussy password rules without hurting recall much.

The bottom line

For the handful of passwords living in your head, use a randomly generated passphrase. For the dozens living in your password manager, use long random strings. On a Mac, Passlock keeps all of them in the encrypted macOS Keychain, offline, so you get the security benefits without the memory burden.

Frequently asked questions

How many words should a passphrase have?

Four words is a reasonable minimum for a strong list; five or six gives a comfortable safety margin, especially for a master password.

Can I make up my own passphrase words?

It is much safer to let a generator pick them. People tend to choose related, predictable words, which lowers the real strength.

Keep reading

How to Create a Strong Password (That You Can Actually Remember)

Length beats complexity. Here is how to build passwords that resist modern cracking without turning your brain into a vault.

What Is a Master Password? (And How to Choose a Good One)

Your master password is the one key that opens every other lock. Here is how to make it strong, memorable, and recoverable.

What Is Password Entropy? (And Why It Matters)

Entropy is the single number that captures how hard a password is to guess. Here is how it works, in plain English.