Which is stronger: a passphrase or a random character password of the same length?

A random character password is marginally stronger per character than a passphrase, because the character set is larger (95 printable ASCII characters vs approximately 12.9 bits per word from a 7,776-word list). However, passphrases are typically much longer in characters — a 4-word passphrase is 20–30 characters, far exceeding most random character passwords in total entropy. At equal length, random characters win; at equal memorability, passphrases win decisively because users can remember longer passphrases than random character strings.

What attack types are passphrases vulnerable to?

Passphrases are vulnerable to wordlist attacks where an attacker attempts common word combinations — but only if the passphrase is short (two or three predictable words) or if the words are not randomly selected. A 4-word passphrase from a 7,776-word list has 7,776⁴ = approximately 3.6 × 10¹⁵ possible combinations — comparable to a strong 10-character random password. Longer passphrases resist all current computational attacks. The weakness of passphrases is human word selection, not the concept itself.

When should I use a random character password instead of a passphrase?

When there is a character limit that prevents a sufficiently long passphrase (some older systems still limit passwords to 8–12 characters), a random character generator produces more entropy per character. For any account allowing 20+ characters, a 4-word passphrase is a strong choice. For encryption keys and cryptographic passphrases (GnuPG, VeraCrypt, BitLocker), a 6-word passphrase or 32+ character random string is recommended.

Do password managers prefer passphrases or random character passwords?

Password managers treat both identically — they store and autofill either type without preference. For the manager's master password (the one you must remember), a 5-6 word passphrase is recommended over a random character string because it provides sufficient entropy while being memorisable without writing it down. For all other accounts stored in the manager, randomly generated 20+ character passwords are the best choice because memorability is irrelevant.

How does a site's password policy affect whether I can use a passphrase?

Many sites still enforce complexity rules (uppercase, symbol, number required) that a pure passphrase may not satisfy. The Passphrase Maker allows adding a number and symbol to any generated passphrase to satisfy these requirements without significantly reducing memorability. Sites that limit password length below 20 characters are a security concern — this often indicates plaintext password storage or very old systems.

Are Passphrases More Secure Than Passwords?

The passphrase vs password debate is often framed as a binary choice, but the practical answer depends on how each is used. A randomly generated character password stored in a manager beats a carelessly chosen passphrase. A carefully generated passphrase beats a predictably constructed "complex" password every time. Understanding the entropy mechanics makes the right choice obvious in each context.

Entropy Per Character

Random character password (95 printable ASCII): log₂(95) ≈ 6.57 bits per character. A 20-character random password provides ~131 bits of entropy — sufficient for any foreseeable attack.

Passphrase from a 7,776-word list: log₂(7,776) ≈ 12.92 bits per word. A 4-word passphrase provides ~51.6 bits. The passphrase is longer in characters but lower in entropy per character — because the effective alphabet is "words", not "characters".

The Memorability Advantage

The critical asymmetry is memorability. Research on password manager adoption consistently shows that users who cannot memorise their credentials either write them down insecurely, reuse them, or choose weak memorisable alternatives. A passphrase of four common words is memorised in one session and retained long-term. A 20-character random string rarely is. For any credential that must be memorised — a master password, a device unlock code, an encryption passphrase — passphrases provide far better entropy at the memorisable length.

Credential type	Recommendation	Why
All stored-in-manager accounts	20+ char random string	Manager handles memorability; maximize entropy
Password manager master	5–6 word passphrase	Must be memorised; passphrase is the only viable option at sufficient entropy
Device PIN / screen lock	8+ digits or 4+ word passphrase	Must be entered quickly, often physically observed
Encryption key (GnuPG, VeraCrypt)	6+ word passphrase or 32+ char random	High entropy required; may need to enter occasionally

The Verdict

For accounts where memorability is irrelevant (stored in a password manager), use randomly generated character passwords — they provide more entropy per character. For credentials that must be memorised, use a randomly generated passphrase of four or more words. The two approaches are complements, not competitors — the correct security posture uses both in their appropriate contexts.

passphrase entropy password security comparison NIST

For informational purposes only. Password security requirements vary by context — consult your organisation's security policy and current NCSC/NIST guidance for your specific environment.

← The Science Behind NCSC's Three Random Words What Is Diceware and How Does It Work? →