correct horse battery staple beats Tr0ub4dor&3. That's not an opinion — it's the math. Here's how passphrases and random passwords compare, and when each one wins.
The math, side by side
Entropy in bits, log₂ of possibilities:
- "Tr0ub4dor&3" — 11 chars, mixed + symbol. Looks strong. Predictable pattern (word + leet substitutions). Real-world entropy ~28 bits.
- 12-char random mixed+symbol — log₂(95¹²) ≈ 79 bits. Strong.
- "correct horse battery staple" — 4 words from a 7,776-word list = log₂(7776⁴) ≈ 51 bits. Solid.
- 6-word passphrase — log₂(7776⁶) ≈ 78 bits. Equivalent to a 12-char random password, and far more memorable.
Why passphrases work
Human memory evolved for language, not random strings. Remembering "whale cactus mountain velvet" is trivially easier than remembering "Xj#9kLm2$wP7" — and at 4 words of ~7,776-word dictionary, both have similar strength.
The caveat: the words must be random. "my favorite pizza is pepperoni" is not a passphrase, it's a Google search. Use a dice-based method (EFF's large wordlist is designed for this) or a crypto-quality random generator.
When random wins
When you're using a password manager — which you should be for everyday accounts — random 16+ char passwords are strictly better. You don't need to remember them, and they're harder to brute-force per character.
When passphrases win
For the one password you have to memorize: your password manager master, your laptop login, your encrypted backup key. A 6-word passphrase is strong enough for any realistic attack and short enough to type without errors. This is the password worth investing in.
Configurable length and character classes, entropy computed live, runs entirely in your browser.