Passphrases: The Complete Guide

What Is a Passphrase?

A passphrase is a password made up of multiple random words instead of random characters. For example: velvet-cricket-glacier-quantum-echo. Passphrases are easier to remember than traditional passwords while being significantly harder for computers to crack.

The concept was popularised by the Diceware method and later standardised in the cryptocurrency world through BIP39 (Bitcoin Improvement Proposal 39).

Why Passphrases Are Stronger

The Entropy Advantage

A traditional 8-character password using uppercase, lowercase, digits, and symbols has roughly 52 bits of entropy. A 5-word passphrase from a 2048-word list (BIP39) has approximately 55 bits of entropy — comparable security, but far easier to remember.

Method	Length	Entropy	Example
Random chars	8	~52 bits	`k9&Xp_#2`
Random chars	12	~79 bits	`k9&Xp_#2vQ!m`
Passphrase	4 words	~44 bits	`glacier-quantum-echo-velvet`
Passphrase	5 words	~55 bits	`velvet-cricket-glacier-quantum-echo`
Passphrase	6 words	~66 bits	`velvet-cricket-glacier-quantum-echo-harbor`

Human Memory vs Computer Guessing

Humans remember stories and word sequences naturally. The phrase “velvet cricket glacier” creates a mental image that’s easy to recall. The string “k9&Xp_#2” does not.

Meanwhile, computers must still try every possible combination. With a 2048-word list and 5 words, there are 2048^5 = ~3.6 × 10^16 possible combinations.

The BIP39 Standard

BIP39 defines a standardised list of 2048 English words specifically chosen for:

No ambiguity — words are at least 4 characters long and the first 4 characters uniquely identify each word
Common vocabulary — words are familiar and easy to spell
Distinct from each other — similar-sounding or similar-looking words are avoided

Safe Pass Guru uses the complete BIP39 English wordlist for passphrase generation.

Entropy Per Word

Each word from the BIP39 list adds 11 bits of entropy (log₂(2048) = 11):

3 words = 33 bits (weak — acceptable for low-value accounts)
4 words = 44 bits (fair — reasonable for most websites)
5 words = 55 bits (strong — recommended standard)
6 words = 66 bits (very strong — high-security applications)
7+ words = 77+ bits (excellent — master passwords, crypto wallets)

Best Practices

Separator Choice

Use a separator between words to prevent ambiguity. Without separators, “notepad” could be “note” + “pad” or the single word “notepad”.

Hyphen (-) — most common, easy to type: word-word-word
Underscore (_) — URL-friendly: word_word_word
Period (.) — compact: word.word.word
Space — natural reading: word word word

Capitalisation

Capitalising the first letter of each word adds a small amount of entropy and makes passphrases easier to read: Velvet-Cricket-Glacier.

Adding Numbers

Appending random numbers to some words increases entropy without significantly reducing memorability: velvet42-cricket-glacier7.

Security Considerations

Always use a CSPRNG — never pick words yourself. Humans are terrible at randomness and tend to pick common words or patterns.
Don’t modify the output — swapping words, removing words, or changing spelling reduces entropy.
Use enough words — at minimum 4 for general use, 5+ for important accounts, 6+ for master passwords.
The wordlist matters — a larger wordlist means more entropy per word, but BIP39’s 2048 words provide an excellent balance.

Passphrases vs Passwords

Feature	Passphrase	Password
Memorability	Excellent	Poor
Typing speed	Good	Slow (symbols)
Entropy per char	Lower	Higher
Brute-force resistance	Very high (with 5+ words)	Depends on length
Usability	Very high	Low
Error-prone	Less	More (symbols)

When to Use a Passphrase

Master passwords for password managers
Cryptocurrency wallets (BIP39 seed phrases)
Full-disk encryption passwords
SSH key passphrases
Any account where you need to type the password from memory

For accounts where you use a password manager to autofill, a random character password is fine since you never need to type or remember it.