This discussion came about because Bitwarden changed the minimium on passphrases so it was not aligned with the password minimum. The following are similarly strong, at ~13 bits of entropy:
- 1 word “diceware” passphrase (dictionary size 7776)
- 2 character password (95 “printable ascii characters”)
- 3 letter password (26 letters)
- 4 digit PIN.
So, it really seems odd that they would raise the passphrase minimum to 6 words, but continue to allow 5 character passwords.
Why the change to the minimum? I’m guessing it is because there is not an industry-standard for how strong a password must be so the answer will vary based on who one listens to at the moment. Here are a few assorted (and sorted 
) opinions, presuming “characters” as defined above:
- 53 bits – NIST 2017 “SHALL be at least 8 characters in length”
- 53 bits – UK Govt. “minimum length of at least 8 characters”
- 53 bits – Apple “strong password … eight or more characters”
- 53 bits – Microsoft “we recommend keeping a reasonable eight-character minimum”
- 53 or 99 bits – NIST 2024 draft “SHALL … minimum of eight … SHOULD minimum of 15 characters”
- 78 bits – EFF “minimum of six [diceware] words”
- 79 bits – Bitwarden “Master passwords … must be at least 12 characters”
- 92 bits – Microsoft “Maintain an fourteen-character minimum” (same doc as above).
On top of that, there is the question of why a generator would have mandatory minimums, given that less-than-recommended is generally accepted when other mitigations are present. Weak passwords can be OK when more “expensive” encryption is being used, and when additional authentication factors are used. The prototypical example being 4-digit PINs used in conjunction with physical debit/credit cards.