Questions about Passphrases


I have had a few older generation people asking me about security and passwords with the age of memory they wanted to know how to have a good password.

Is it a good idea to have a sentence or passphrases without any spacing and then adding some numbers etc…

When it comes to testing passwords how good are they at predicting how strong they are.

And how good and safe are the online passphrases generators like Bitwarden ?


Pass phases generated randomly by Bitwarden are excellent for security and more memorable than any sufficiently long random string. There should be no need to add numbers or other frills to them.

However, there remain questions around the requirement. A pass phrase securing a password manager which itself contains random string passwords is the optimal solution. If the users do not have a password manager then no-one is remembering a lot of pass phases (assuming web sites accept them) so re-use will be rampant. I assume you are are asking about the first scenario, a password manager.

As you will find discussed here in a few places, testers make assumptions which may be unwarranted. The question is not the password but the generator. Bitwarden’s generators provide the entropy, the strength, when you use recommended phrase or string lengths.

1 Like

@Mulled7768 Thanks.

Yes I’m referring to password managers, I’m suggesting using password managers Bitwarden, But they are a bit wary using a generator for their master password.

Also what’s the minimum word passphrase to use, myself I use 6, I’m sure I read using 4 is fine?

Yes, four words are fine given good hashing. 600,000 KDF iterations meet the standard though I personally prefer argon2 which is excellent at its default settings. It appears the main attack vectors remain phishing and various forms of what we used to call confidence tricks, not breaking decent passwords.

1 Like

If your passphrase is randomly generated, and if you have a sufficient number of words, there is no real benefit of adding numbers or special characters — and doing so makes the master password harder to memorize. Likewise, removing spaces creates disadvantages, and is not encouraged.

It is impossible to test a password that has already been created. However, if you use a random password/passphrase generator (like the one in Bitwarden), then the strength can be accurately estimated based on the generator settings. For example, with Bitwarden’s passphrase generator (and similar random passphrase generators), the password entropy (a measure of strength) increases by about 13 bits with each added word. Generally, for a Bitwarden master password, 50 bits of entropy is sufficient for protection, and you can achieve this with a random 4-word passphrase.

If you’re going to use Bitwarden’s generator, you should use the one that can be found inside each Bitwarden app or browser extension (because their online generator webpage includes 3rd-party trackers.

Among the available online password generators, I generally recommend a site called The Little Password Helper. For maximum security, save the webpage as a local .html file, then close your browser, disconnect from the internet, and open the locally saved .html file to generate your master password.

Unless they have medical issues that affect their memory or ability to process language, they should be able to memorize 4 random words — with a little bit of practice. I am sure that if they were presented with 4 grandchildren, they would be able to learn the four names. It does take some work — I would recommend starting with writing down the master password on an Emergency Sheet, which they can use as a “cheat sheet” until they have memorized the vault password. Start by memorizing one word, and typing it into the login form without looking at the cheat sheet (if possible); once they can recall the first word with ease, work on memorizing the second word in the same manner. After the password has been memorized, store the Emergency Sheet in a secure location (as a backup for the inevitable memory lapse).

It is also possible to use mnemonic techniques to assist with passphrase memorization. Typically, this would start with envisioning a scene or a story that has been constructed using the passphrase words. For example, I just used Bitwarden’s generator to randomly produce the words aqua much swan jingle; so I might imagine a scene consisting of an aqua-colored lake overfilled with swans, and an ice-cream truck playing its jingle. This will make it easier to memorize the words in the passphrase.


Thanks @grb What you have said will help them alot, I always thought websites that had a generator had some kind of tracking cookies that could be copied easily.

Yes you are right it will be easier to remember without all the added fancy bits.

1 Like

When it comes to “password science”, we have learned that length is much more important than complexity. Adding more letters at the end does much more good than adding weird punctuation in the middle. And, bonus, it just happens to make it easier to remember. This is why passphrases (as opposed to passwords) have become all the rage. We have also learned that people are really bad at making good passwords/phrases, which is why we tend to recommend generators.

Use whatever word separators you want (spaces are OK), or even none at all. With passphrases, choice of separator does not matter because you already have the length.

Not much else matters if passwords are random, long (4 words is enough for master passwords; 6 for everything else), and unique (different password for each site).

You also want to keep your eye on the prize. The most important thing is to get them using a password manager. Having an easy to use/remember master password is huge in meeting this goal, as is getting them loving auto-fill. Things like unique passwords-per-site can wait until they are comfortable with the password manager itself.

Finally, make sure they create an emergency sheet and keep a copy locked safely away with their will and/or with a trusted family/friend.


@DenBesten Thanks

Actually I myself can’t get over how 8 letter words x4 is better, when separated it looks too short. But it actually works.

Thank you all for sharing your knowledge, this is all going to help me explain to others and make it easier for them :+1:

“Is better” than what?

Random passphrases make strong passwords, because there are so many possible combinations. Typically, each word is chosen from a list of 7776 possibilities. Thus, for each of the 7776 possible words that could be the first word in your passphrase, there are 7776 words that could be the second word; this gives 7776×7776 = 60,466,176 possible word pairs. In the same way, there are also 60,466,176 possible word pairs to make up the 3rd and 4th word in your passphrase. And because each word selection is random (independent of other words in the passphrase), for each of the 60+ million possible word pairs used in the first half of a 4-word passphrase, there are also 60+ million possible word pairs that could appear in the second half of the passphrase; this makes the total number of possible 4-word passphrases equal to 60+ million × 60+ million = almost 4 quadrillion!

Even if a hacker could test a million password guesses every second, it would take over a century to go through all 4 quadrillion possible passphrase combinations.

1 Like

I was meaning passphrases are better than the old traditional passwords we all were use to using and would forget, and probably wasn’t a strong enough password.

1 Like

Glad we could help. One thing that helped me understand “what matters” is messing around with these password and passphrase generators because they display the “entropy” (strength) associated with a given strategy. Ultimately, you will find that these passwords are equally good (~64 bits of entropy):

  • 7C}oqm662<| (11 complex)
  • pjvauwcjtrtzsw (14 lower)
  • Envelope Doodle Tavern Geek Pouring (5 diceware)

If you want to delve into the science/math/psychology of passwords, explore both Password Bits and Diceware. Both websites have very good information presented in an approachable manner.

A surprising detail is that even though Master Passwords are particularly important, it is OK for them to be weaker (that is,have fewer bits of entropy) than most other passwords. This is because they use an intentionally inefficient stretcher which makes each guess more expensive (time-wise) for an attacker.


I had come across Diceware while doing a bit of searching, this will definitely keep me busy as I do like looking into these things👍