The most common question about passphrases is the most straightforward one: how many words? The answer depends on what you are protecting, who might try to crack it, and how you generate the words. A 3-word passphrase from a small dictionary is quite different from a 5-word passphrase using Diceware's 7,776-word list. The difference is measured in bits of entropy โ and those bits determine how long your passphrase resists attack.
The Entropy Calculation: How Bits Translate to Security
Entropy is measured in bits. Each bit doubles the number of possible passphrases an attacker must try. A passphrase with 40 bits of entropy has 2^40 possible combinations โ roughly a trillion. That sounds like a lot, but modern cracking hardware can test billions of guesses per second. The NIST SP 800-63B guideline recommends a minimum of 30 bits for memorised secrets, while security researchers typically recommend 40+ bits for everyday use and 60+ bits for high-value accounts.
The formula is simple: entropy = log2(wordlist_size^word_count). A 3-word passphrase from a 1,000-word list gives 30 bits. A 4-word passphrase from a 7,776-word Diceware list gives 51.6 bits. The difference is more than a million-fold in cracking difficulty.
3-Word Passphrases: Adequate for Low-Risk Accounts
Three random words from the NCSC's recommended approach (using a substantial word list of 10,000+ words) provides approximately 40 bits of entropy. This is adequate for personal accounts that are not high-value targets: social media profiles, forum accounts, newsletter subscriptions, and similar low-risk services.
However, three words is not sufficient for banking, email, or any account whose compromise would cause significant harm. The margin between 40 bits and practical cracking is narrowing as GPU-based password cracking becomes faster. In our testing, a 3-word passphrase from a 10,000-word list resists online attacks well but is increasingly vulnerable to offline cracking of stolen hashes.
4-Word Passphrases: The Personal Sweet Spot
Four words is where passphrases become genuinely practical for everyday security. Using a 7,776-word Diceware list, a 4-word passphrase provides 51.6 bits of entropy. Using a larger word list of 15,000 words, it provides 55.8 bits. This is the sweet spot because it is still memorable โ most people can recall 4 unrelated words with 2-3 days of practice โ while providing security that resists all practical attacks for years.
For personal email, password manager master passwords, and device encryption, 4 words is the recommended minimum. The EFF's passphrase guidance specifically recommends 4-word Diceware passphrases for personal use.
5-Word Passphrases: Enterprise and High-Security
Five random words from a 7,776-word list provides 64.6 bits of entropy. This is the standard recommended for enterprise environments, system administrator accounts, and any credential that protects sensitive business data. At this level, the passphrase cannot be cracked by any known or foreseeable technology within a human lifetime.
Five words are harder to memorise than four, but mnemonic techniques help. Create a short story linking the words, or practice typing the passphrase 3-5 times per day for a week. Most users find they can recall a 5-word passphrase reliably after 5-7 days of regular use.
6+ Words: When You Need Maximum Protection
For master passwords on enterprise password managers, cryptocurrency wallets, or classified systems, 6 or 7 words provide 77-90 bits of entropy. This is overkill for most use cases โ the weakest link in the security chain becomes not the passphrase itself but the system protecting it.
The Diceware method was originally designed with 5 words as the recommended minimum. Six words, as proposed in the original Diceware paper, is the paranoid option: mathematically uncrackable by any realistic threat model for the foreseeable future.
Why Word List Size Matters as Much as Word Count
A 3-word passphrase drawn from a 100-word list provides just 20 bits of entropy โ trivial to crack. The same 3-word passphrase from a 10,000-word list provides 40 bits. The word list is as important as the word count. Always use lists of at least 7,000 words. The EFF's large word list (7,776 words) and the original Diceware list (7,776 words) are the industry standards.
Never let users choose their own words. Human-selected words follow predictable patterns โ favourite food, pet name, spouse's name โ that reduce entropy to near zero. The entire point of a passphrase is the random selection, not the words themselves.
FAQs
Is a 3-word passphrase from the NCSC method secure for email?
The NCSC's 3-random-words approach provides approximately 40 bits of entropy when drawn from a sufficiently large word list. This is adequate for low-risk accounts but most security researchers recommend 4 words (51+ bits) for email and other sensitive accounts.
How long should a passphrase be in characters?
Character count is less important than word count and word list size. A 4-word Diceware passphrase averages 24-28 characters. That length naturally exceeds the minimum requirements of any password policy while remaining memorisable.
Can I use the same passphrase on multiple accounts?
No. Each account must have a unique passphrase. Use a password manager to store different passphrases for each service. The passphrase you memorise is only for the password manager master vault.
What happens if I forget my passphrase?
If you forget your password manager master passphrase, there is no recovery โ that is the point. Write your recovery codes and store them in a safe or with a solicitor. Most password managers provide a one-time recovery code at setup. Keep that somewhere physically secure.