How many words should I use in a passphrase?

How many words should I use for a “good” passphrase ? How much for a “very secure” ?

Is there a website to compare the strength of a password and a passphrase ?

I didn’t find any resource on this subject, so I hope this post will help me and other in the future looking for an answer

Thanks !

Welcome to the forum!

If this is for your Bitwarden master password, 4 words would be the absolute minimum (if you are really having trouble with longer passphrases). Using 5 words is sufficiently secure, and you can use 6 or more if you are a high-value target or if you tend to worry a lot about your vault security.

The strength of a passphrase is roughly equivalent to the strength of a random character string in which the number of characters is double the number of words in the passphrase (e.g., a 12-character random password and a 6-word random passphrase are roughly equivalent in strength).

Hey @iTrooz feel free to check out Password Strength Testing Tool | Bitwarden and Strong Password Generator | Bitwarden

@dwbit With due respect, the zxcvbn strength testing tool (which is what Bitwarden is using) often produces misleading results. I would not recommend it.

For anybody looking for a tool to evaluate master password strength, I would recommend this one:

Hey ! I’ve come across this tool, but it doesn’t make a mention of passphrases. Will it automatically detect and treat passphrases at such ?

It indeed was more what I was looking for, thank you !

Thanks for the feedback all, passed along to the team :+1:

Just to add my 2¢ here as well.
While I think the Bitwarden password testing tool is a good way to get a rough idea of password strength and the online password generator is good for creating easily typeable passphrases.

Though my personal favorite would be Readable Passphrase JS Demo which runs JS locally in your browser so everything is generated locally similar to the Bitwarden password generator. Nothing is ever sent out from your computer past the page loading and you can even disable your WiFi and network connections and still create passphrases.

This tool though can provide several variations of somewhat grammatically correct passphrases in the form of sentences, which IMHO is a big plus.
Some words may still need to be changed around or swapped to make it more coherent and easier for you to memorize, but I find that it acts as a great and easy baseline for both me and anyone I bring on to Bitwarden to assist in creating their Master Password.

Don’t forget to enable 2FA and create a recovery kit as well :wink:

I disagree.
Excessive requirements for passwords do not create strong passwords, but encourage poor data security practices. If a requirement is too stringent for a user to remember, then they are likely to write it down making it more vulnerable than a “weaker” one, that can be more easily remembered. The strength metric only assesses its strength from a cryptographic perspective and does not take social factors into account.

Unclear what/who in this thread you are disagreeing with. No one has proposed any “excessive requirements” that are “too stringent for a user to remember”.

If you have been able to remember the mailing addresses for your home and work, or the first and last names of the three most recent US Presidents, surely you will be able (with a little bit of practice) to commit to memory just four words — e.g., oink, verbally, matching, and conductor (as an example of a passphrase generated by Bitwarden’s passphrase generator)? The use of passphrases (as opposed to passwords that consist of a sequence of random characters) is precisely for the purpose of aiding memorization.

And if you’re really struggling with memory issues, then writing down a strong master password is less of a security risk than memorizing a weak master password. The vast majority of password cracking attempts are so-called credential stuffing attacks, in which attackers use information obtained from past breaches and leaks; thus, if your LinkedIn password was linkedinMyD0gFluffySm311z!, then your Bitwarden account will be pwned in no time if you have used bitwardenMyD0gFluffySm311z! as your master password. On the other hand, if your master password (weak or strong) is unique and does not resemble any passwords that you have used elsewhere, then the biggest risk to your vault is if a future attacker is able to breach Bitwarden’s servers and either steal their databases or intercept incoming authentication data as users log in; in such a scenario, having a weak master password that you were able to memorize creates a significant risk of having your vault cracked, but having a strong master password that is written down in a safe location in your home will successfully prevent your vault from being compromised.