7 word diceware passphrase, 18 characters of random letters and numbers, 90 bits of entropy, etc are considered secure against any brute force attack. But should we really recommend everyone to use passwords that long? I don’t think so. But right now, we do: We recommend securing your password ma…

I use Bitwarden’s Password Strength Testing Tool Password Tester | Test Your Password Strength | Bitwarden to see if my passphrase is strong enough. I found just two or three words, spelt incorrectly, is strong enough. I can imagine how annoying it would be to type 7 words that I can’t see (passwor…

[image] anon85295620: I can imagine how annoying it would be to type 7 words that I can’t see (password entries are typically hidden, but can be shown) on a phone keyboard. Now, I have to stop and examine those words for misspelling. If I forget and hit enter and it’s wrong, all 7 words need to …

[image] moonwriting: However, for most sites, we don’t know how they implement these things, and thus, using a 7-word passphrase could still be justified. Well, you only need them for a password manager, your devices, encryption, etc. For registration on sites and everywhere else, generating …

[image] anon28734771: We should educate the reader to allow them to generate a passphrase that suits their threat model, instead of just making them use passphrases that can’t be brute forced by anyone in the current day of age. My only issue with this is that “threat model” is completely sub…

[image] anon85295620: I found just two or three words, spelt incorrectly, is strong enough. This is not a safe practice. The password strength testers are good at testing randomly generated passwords, not so good at estimating the strength of non-random passwords like this. Things like misspe…

[image] anon28734771: But should we really recommend everyone to use passwords that long? Meeting the minimum standard for password security is not a matter of threat modeling. There are some universal threats on the internet by virtue of being connected to everybody on Earth, and I don’t thi…

[image] xe3: This indicates to me that you are may be thinking about passwords in an unsafe way. Because almost no human can remember a 50 character randomly generated password Sorry I meant for those examples to be examples of “rules of thumb” not as anything someone should use as a guidelin…

If I need password I should remember without pass manager, I use 3-5 words in 2-4 different languages, plus number and at least one capital letter

For anyone interested in the math, here is the basic formula for measuring a password/phrase’s entropy: Entropy = log2(Rᴸ) (where R = the characterset or wordlist (e.g. 26 for just lowercase letters, 95 for all symbols on a keyboard, or 7776 for bitwarden’s wordlist and L = length of characters or…

Elaborate more on passphrase length and strength

Site Development Guide Suggestions

moonwriting December 12, 2023, 11:25am 5

It depends on what you are securing. For example, we know that Bitwarden uses either PBKDF2 or Argon2, which means that you can safely use even a 4-word passphrase as the calculator by Passwordbits demonstrates.

However, for most sites, we don’t know how they implement these things, and thus, using a 7-word passphrase could still be justified. But for most sites, you should probably just use a randomly generated password instead if you never have to type it out yourself.

Topic		Replies	Views
Password entropy Questions please-eli5	2	320	April 9, 2026
Where should I not use a passphrase? Questions	2	862	September 30, 2022
Reasonable passphrase length? General	1	368	November 30, 2024
Explicitly mention to use no less than 4 words when making a random passphrase, in the Intro to Passwords article Site Development completed	21	1340	May 20, 2025
StrongPhrase.net Tool Suggestions	13	830	May 7, 2025

Elaborate more on passphrase length and strength

Related topics