Password vs Passphrase
Discover why random words beat complex symbols for both security and memorability.
The Fundamental Question
Which password is stronger?
Traditional password with symbols
Simple words passphrase
The passphrase wins by a landslide!
The Famous XKCD Comic
In 2011, XKCD comic #936 popularized the concept that passphrases made of random words are both more secure and easier to remember than traditional "complex" passwords.
The Traditional Advice (WRONG)
The Better Way (CORRECT)
Note: The phrase "correct horse battery staple" is now famous and should NOT be used. Use your own random words!
Interactive Comparison Tool
Try modifying both passwords to see how they compare. Notice how the passphrase provides much more entropy with simple, memorable words.
Traditional Password
High-end GPU
Hard to remember
Passphrase
High-end GPU
Easy to remember
Winner: Passphrase
Passphrases provide 2.5× more entropy while being significantly easier to remember!
Why Do Passphrases Work So Well?
Length Matters Most
Each additional character increases the search space exponentially. A 28-character passphrase (even with just lowercase letters) has far more combinations than a 10-character password with all character types.
That's 1 trillion times more combinations!
Random Words Beat Predictable Patterns
Dictionary attacks work by trying common words with common substitutions. But they can't efficiently try all combinations of random words. Four random words from a 7,776-word list = 7,7764 = 3.7 trillion combinations.
Humans Remember Stories
Our brains are wired for narrative. "correct horse battery staple" creates a mental image of a correct horse using batteries with a stapler. Weird mental images stick! Meanwhile, "P@ssw0rd1!" is just... gibberish.
How to Create a Strong Passphrase
Step 1: Use Random Words
Choose 4-6 random words. Don't use sentences or phrases you've heard before. True randomness is key.
Step 2: Add Separators (Optional)
Add hyphens, spaces, or other separators for readability. Some systems require them.
Step 3: Optional Enhancements
Some sites require numbers or symbols. Add them if needed, but the words alone are already strong!
The Diceware Method
For maximum security, use the Diceware method to select truly random words:
- 1Roll five dice and write down the numbers (e.g., 4-3-6-1-5)
- 2Look up the corresponding word in the Diceware word list
- 3Repeat 4-6 times to build your passphrase
- 4Combine the words with separators
This method ensures true randomness because dice rolls are unpredictable. The EFF provides free Diceware word lists online.
Common Misconceptions
"Complex symbols make passwords stronger"
FALSE. "P@ssw0rd1!" looks complex but is based on a dictionary word with predictable substitutions. Length and randomness matter more than symbols.
"Passphrases are vulnerable to dictionary attacks"
FALSE. Dictionary attacks try single words or common phrases. Four random words = trillions of combinations. Passphrases resist dictionary attacks when words are chosen randomly.
"I should use 'correct horse battery staple'"
ABSOLUTELY NOT. This specific phrase is now famous and in every password cracker's dictionary. Use your own random words!
Key Takeaways
- Length beats complexity: Four random words are stronger than a short password with symbols.
- Randomness is crucial: Don't use phrases, quotes, or predictable word combinations.
- Memorability matters: Security is useless if you can't remember the password and resort to weak alternatives.
- Use password managers: For maximum security, let a password manager generate and store truly random passwords.